Malware Analysis Report

2024-12-06 03:21

Sample ID 241024-s77adswhlp
Target PTHAV002_2024-10-24_15_43_35.016.zip
SHA256 859571a129deed67ebc60c7e2e5d48b1e1282121e11d1d696e9cac88fa7c3643
Tags
discovery guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

859571a129deed67ebc60c7e2e5d48b1e1282121e11d1d696e9cac88fa7c3643

Threat Level: Known bad

The file PTHAV002_2024-10-24_15_43_35.016.zip was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-24 15:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-24 15:47

Reported

2024-10-24 15:49

Platform

win7-20240903-en

Max time kernel

80s

Max time network

146s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PTHAV002_2024-10-24_15_43_35.016.zip"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\factura 563423.exe N/A
N/A N/A C:\Users\Admin\Desktop\factura 563423.exe N/A
N/A N/A C:\Users\Admin\Desktop\factura 563423.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\oecus\svante.Eft C:\Users\Admin\Desktop\factura 563423.exe N/A
File opened for modification C:\Windows\SysWOW64\oecus\svante.Eft C:\Users\Admin\Desktop\factura 563423.exe N/A
File opened for modification C:\Windows\SysWOW64\oecus\svante.Eft C:\Users\Admin\Desktop\factura 563423.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\sankthansaftnerne\clodpoll.saf C:\Users\Admin\Desktop\factura 563423.exe N/A
File opened for modification C:\Windows\resources\sankthansaftnerne\clodpoll.saf C:\Users\Admin\Desktop\factura 563423.exe N/A
File opened for modification C:\Windows\resources\sankthansaftnerne\clodpoll.saf C:\Users\Admin\Desktop\factura 563423.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\factura 563423.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\factura 563423.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\factura 563423.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PTHAV002_2024-10-24_15_43_35.016.zip"

C:\Users\Admin\Desktop\factura 563423.exe

"C:\Users\Admin\Desktop\factura 563423.exe"

C:\Users\Admin\Desktop\factura 563423.exe

"C:\Users\Admin\Desktop\factura 563423.exe"

C:\Users\Admin\Desktop\factura 563423.exe

"C:\Users\Admin\Desktop\factura 563423.exe"

C:\Users\Admin\Desktop\factura 563423.exe

"C:\Users\Admin\Desktop\factura 563423.exe"

C:\Users\Admin\Desktop\factura 563423.exe

"C:\Users\Admin\Desktop\factura 563423.exe"

C:\Users\Admin\Desktop\factura 563423.exe

"C:\Users\Admin\Desktop\factura 563423.exe"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\factura 563423\" -spe -an -ai#7zMap12206:86:7zEvent20461

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\factura 563423\" -spe -an -ai#7zMap30890:86:7zEvent27328

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap2082:86:7zEvent735

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp

Files

C:\Users\Admin\Desktop\factura 563423.exe

MD5 6cb35cad38c80bbb552c99caf75f9371
SHA1 f1dcc7d9805738aaf1f30b32383674ea30706269
SHA256 057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf
SHA512 638594b7228a8e747c34f1ab7916774feaff1ce58e875e64bb28cc6742472a305c5aa06e709ec708aad990d9e78ce828509af8a575b3fe62082699de1bb81734

C:\Users\Admin\Desktop\peripheries.lnk

MD5 a0b9574aca19808a588e1fd996cd2833
SHA1 0d6963cff9a899898a0015a37151a7a6390ea727
SHA256 ccb9592997bf91936138f0c037a1bee30f2e9236869eadc17e23da3d86457390
SHA512 85e90012578075e571ec0f04480d09368b5891bf6511ffa544c139a7e9aa7fb1e755807a2db72c962a79a9e910efb92c9906bb07061fb8b3da068a3661284d94

C:\Users\Admin\Desktop\peripheries.lnk

MD5 12661c6cccda04f3a4719c9b72a86abc
SHA1 0e8c6150b6c71e6e5422cc5547ad52745e8083e7
SHA256 a1cc70e70b85a820f970a82ce1c58524e4c15052f6b1db4620e67374eb17ba2a
SHA512 fe8b1771cefaf501d69e3cf1295e8174c13d8d9569684b2537aa373f89d2ea252f5c8215bc3d1aac9055938f7f45a3673ca0791f332c909eac9f605d01093a08

\Users\Admin\AppData\Local\Temp\nst36CA.tmp\System.dll

MD5 cf85183b87314359488b850f9e97a698
SHA1 6b6c790037eec7ebea4d05590359cb4473f19aea
SHA256 3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac
SHA512 fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

C:\Users\Admin\Desktop\peripheries.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Desktop\peripheries.lnk

MD5 45ebd74a4d9e6c8c6353ac7763420a80
SHA1 857492613707b3560a517c37312af9d972b5a99c
SHA256 2db87e5584d782872e760ed647480763508ecf5e97aaa37c3060dbd6eb987123
SHA512 f90b1ea000531b4aa9aa1212273c91fd73dfd7145ec59b7d16c184273d08207a89da33b1e7f5e09d1b38eafc103cad81a255ded5274095632b87cc3253ac443f

memory/3148-53882-0x0000000000400000-0x0000000001462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3AC0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/3148-61397-0x0000000000400000-0x0000000001462000-memory.dmp

memory/3192-61402-0x0000000000400000-0x0000000001462000-memory.dmp

C:\Users\Admin\Desktop\factura 563423\chagul\Sluttidspunktets.ace

MD5 27a799752643f5e96c57957dd115f836
SHA1 c25dbe476573cbb94df8cb43cbbb7446e57b5bd4
SHA256 6770149a0d8af75d3d8df950cf3d1a8475fc73e60ef9e3bd03ad04a2001035e7
SHA512 fc46c8bd1186b0381e0f4679cb0844456dde98e62c47888c4eefdddc34c56274ab739c21c1dad4c75473a74a188698d9a268e07cd66c33464619ff6094ccf66f

C:\Users\Admin\Desktop\factura 563423\chagul\Hjortetakkens.pro

MD5 87a52f4e6ce72e090d982511c93e363e
SHA1 c6a263c8afd9d2fc60fc7a07a8449f8a8cbd713d
SHA256 838472456a1b5905bec73fe10a4afc9a09c01dfa3ff108deb1ceb57fac83718f
SHA512 1d1f3973faebb73c0989d3fc991adad9f444ca36f7ea2c5fc0443769fde9e11c6eb1cbd2c6143c5da9167f2176c298d169a828b466826a6fde68e61961387b58

C:\Users\Admin\Desktop\factura 563423\Objektiviseringen\Hematomancy42.txt

MD5 4da37058224bd7b59229bb611e105f39
SHA1 1da82b8c8f86e54f744aff64c798e84d1c70e4eb
SHA256 4f6eb70f672b677aaa6a534a1bfe8834e2608b72957d57df8089665816ddd90e
SHA512 f839f7fbfedd517cf9a9c253ced6641f1d7cdb69694ba6ed939500ff99fe5247976c09ec915675d8691c04b80ba2f8e49068b4f916904bde994b4051abe3e98e

C:\Users\Admin\Desktop\factura 563423\Objektiviseringen\Rvegraves.rej

MD5 84523a696370eab2f84cc398ffd50054
SHA1 9279a88692c419da715b74828f456ef4756ee7a0
SHA256 8bf70ce6c463271b6bb4e259d1cbf5ae228751ccf95c5b69756cbeb9de60be95
SHA512 40d04c68c156e120eef4463962d0dfb96e48a86709a3f162c4c1aa2c840f6058881ccda0d9006c35bbbe5bdde40eb27b1ddc0f71262cd682f37601992d9d853a

C:\Users\Admin\Desktop\factura 563423\chagul\Fortovs\southwestern.gor

MD5 79ad4943801e304b83e39774d00ed227
SHA1 e3ed1c0c871e490194fad68584d401104e0d2bd6
SHA256 1c0cc2363d16826b2c8d36d983e883e3d81e12df8456e3512bf80e7de28c9583
SHA512 497dc447dd0bd52479445e7fce633427e17dcb02546e876b9ad6945a2c1186de20c26f7ea324ebb8608bf76b16846b738c8fba138004da07a7494e743e925481

C:\Users\Admin\Desktop\factura 563423\chagul\programdels.fla

MD5 b0f8a54823350c2f31d2bb230615afb1
SHA1 6f46b1e8491247556108d37809870f0c34fb0f7f
SHA256 f7161357b945d6764d2c290af7f7290c1c00a08aaaac622b45e2719ac6a50968
SHA512 957b98b57883b2d56186a2ac17582453d092f8ef84ac360d16c3e3ee4bc28100537df84d0f30ae880298657404e45ba29761814a5e3cf16c90510cb8175a63a3

C:\Users\Admin\Desktop\factura 563423\chagul\momentousments.afr

MD5 c6cca0bf9fb8cc569e1edbb70f5ab95e
SHA1 fa9a3e70d31a5009f0d63d88ea8d224763936862
SHA256 705a96fff4440f49a231e8d17b289d97786ec373aa5b39fdad48b410dca53ea8
SHA512 efa09455d16f63322bd81986aeccc65aeab92a601aa11eb68725afcb3f61965510ffea65bb87a89a0123263189e6a4200958582f135b3c5bb0a023fddda35911

C:\Users\Admin\Desktop\factura 563423\chagul\legaliserende.tro

MD5 a372469d5ea672a9c76fdcfe1127b8df
SHA1 25129be715c8a42ececfc70330e29a8bb7d21e14
SHA256 3eb84177ebd5ca99880fee24652579f356008c29ff31e8e0f157693c3e16cc69
SHA512 15179350720dec225250a113603e1b7d9f11d7556365dcf61f150d775ddfdb930fd08079f6d933c108d3748e63118b5d5d7017b2f29657af6ff07eb826d36d20

C:\Users\Admin\Desktop\factura 563423\chagul\crappin.fan

MD5 e2701f9b21e2e3383c23d42a8a80f0cd
SHA1 b48623eb7f31a6e559cb276cec52b8629f28688f
SHA256 4cbc5303baa96a022304acac34ad9cbf9db661e89bf603ca872b0f38e2c7f3b7
SHA512 c3d53de9228dbcc8498be846562a4630a35a321bab5344bd2ca4452b8c161405785a65ad2425b8764c0e95479f230fd8f78bf5501cad820deba8e5563621a122

memory/3148-62233-0x0000000000400000-0x0000000001462000-memory.dmp

memory/3148-62232-0x0000000000400000-0x0000000001462000-memory.dmp

memory/3192-62234-0x0000000000400000-0x0000000001462000-memory.dmp

memory/3192-92813-0x0000000000400000-0x0000000001462000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-24 15:47

Reported

2024-10-24 15:49

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

126s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PTHAV002_2024-10-24_15_43_35.016.zip"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PTHAV002_2024-10-24_15_43_35.016.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-24 15:47

Reported

2024-10-24 15:49

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\oecus\svante.Eft C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\sankthansaftnerne\clodpoll.saf C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 2432 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 2432 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 2432 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 2432 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 2432 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 980 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Windows\SysWOW64\WerFault.exe
PID 980 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Windows\SysWOW64\WerFault.exe
PID 980 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Windows\SysWOW64\WerFault.exe
PID 980 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 456

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.178.14:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.73:80 crl.microsoft.com tcp

Files

C:\Users\Admin\Desktop\peripheries.lnk

MD5 c6fd1538cea9d4df087e2d323d7704d1
SHA1 ab425391c84cdbfa97dcbcc132251574ad2d214b
SHA256 99ef8ab7d11ea63fb02550b0882a4a2a537374449d44782bc504a8dedc00bdfc
SHA512 adcad143ac989da96ed754875c4e999ee25d5c97c423b2503c7c1b7bee6c998c27483d22cdf85a90c7a8b23f93122652688ea383c1cc19589912af0bfb6188f9

C:\Users\Admin\Desktop\peripheries.lnk

MD5 3f645fe4b4adce1d1472df12098eff41
SHA1 7a0765c17cbf95a6e4b9cefc58cd1680da327b76
SHA256 3d2ab3b3b6bab614b83a710c24bcddc0a468ad5347e47d11658b83ddcffb56c0
SHA512 0df3d528004da1ddaabddd1e6f732e98905837e8f512bbd4bbed57e6d3c28a04ba85b3372372e9b4ac6a9420b564dde931601ae18ad3b84039eb4ea1b4caaf41

\Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\System.dll

MD5 cf85183b87314359488b850f9e97a698
SHA1 6b6c790037eec7ebea4d05590359cb4473f19aea
SHA256 3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac
SHA512 fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

memory/2432-24644-0x00000000034C0000-0x0000000004D2B000-memory.dmp

memory/2432-24645-0x0000000077181000-0x0000000077282000-memory.dmp

memory/2432-24646-0x0000000077180000-0x0000000077329000-memory.dmp

memory/2432-24647-0x00000000034C0000-0x0000000004D2B000-memory.dmp

memory/980-24648-0x0000000000400000-0x0000000001462000-memory.dmp

memory/980-24649-0x0000000077180000-0x0000000077329000-memory.dmp

memory/980-24671-0x0000000000400000-0x0000000001462000-memory.dmp

memory/980-24670-0x0000000000400000-0x0000000001462000-memory.dmp

memory/980-24672-0x0000000000400000-0x0000000001462000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-24 15:47

Reported

2024-10-24 15:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\oecus\svante.Eft C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\sankthansaftnerne\clodpoll.saf C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4600 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 4600 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 4600 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 4600 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
PID 4600 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1140 -ip 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1780

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.178.14:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\Desktop\peripheries.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nsqC8BF.tmp\System.dll

MD5 cf85183b87314359488b850f9e97a698
SHA1 6b6c790037eec7ebea4d05590359cb4473f19aea
SHA256 3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac
SHA512 fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

memory/4600-24644-0x0000000003300000-0x0000000004B6B000-memory.dmp

memory/4600-24645-0x0000000077D41000-0x0000000077E61000-memory.dmp

memory/4600-24646-0x0000000010004000-0x0000000010005000-memory.dmp

memory/4600-24647-0x0000000003300000-0x0000000004B6B000-memory.dmp

memory/1140-24648-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1140-24649-0x0000000001660000-0x0000000002ECB000-memory.dmp

memory/1140-24650-0x0000000077DC8000-0x0000000077DC9000-memory.dmp

memory/1140-24651-0x0000000077DE5000-0x0000000077DE6000-memory.dmp

memory/1140-24664-0x0000000001660000-0x0000000002ECB000-memory.dmp

memory/1140-24666-0x0000000000401000-0x0000000000404000-memory.dmp

memory/1140-24665-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1140-24667-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1140-24669-0x0000000077D41000-0x0000000077E61000-memory.dmp

memory/1140-24668-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1140-24670-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1140-24671-0x0000000000400000-0x0000000001654000-memory.dmp

memory/1140-24672-0x0000000001660000-0x0000000002ECB000-memory.dmp

memory/1140-24673-0x0000000000401000-0x0000000000404000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-24 15:47

Reported

2024-10-24 15:49

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-24 15:47

Reported

2024-10-24 15:50

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 4956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4500 wrote to memory of 4956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4500 wrote to memory of 4956 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4956 -ip 4956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A