Analysis Overview
SHA256
859571a129deed67ebc60c7e2e5d48b1e1282121e11d1d696e9cac88fa7c3643
Threat Level: Known bad
The file PTHAV002_2024-10-24_15_43_35.016.zip was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Drops file in Windows directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-24 15:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-24 15:47
Reported
2024-10-24 15:49
Platform
win7-20240903-en
Max time kernel
80s
Max time network
146s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\oecus\svante.Eft | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oecus\svante.Eft | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oecus\svante.Eft | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\sankthansaftnerne\clodpoll.saf | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| File opened for modification | C:\Windows\resources\sankthansaftnerne\clodpoll.saf | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| File opened for modification | C:\Windows\resources\sankthansaftnerne\clodpoll.saf | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\factura 563423.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PTHAV002_2024-10-24_15_43_35.016.zip"
C:\Users\Admin\Desktop\factura 563423.exe
"C:\Users\Admin\Desktop\factura 563423.exe"
C:\Users\Admin\Desktop\factura 563423.exe
"C:\Users\Admin\Desktop\factura 563423.exe"
C:\Users\Admin\Desktop\factura 563423.exe
"C:\Users\Admin\Desktop\factura 563423.exe"
C:\Users\Admin\Desktop\factura 563423.exe
"C:\Users\Admin\Desktop\factura 563423.exe"
C:\Users\Admin\Desktop\factura 563423.exe
"C:\Users\Admin\Desktop\factura 563423.exe"
C:\Users\Admin\Desktop\factura 563423.exe
"C:\Users\Admin\Desktop\factura 563423.exe"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\factura 563423\" -spe -an -ai#7zMap12206:86:7zEvent20461
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\factura 563423\" -spe -an -ai#7zMap30890:86:7zEvent27328
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap2082:86:7zEvent735
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
Files
C:\Users\Admin\Desktop\factura 563423.exe
| MD5 | 6cb35cad38c80bbb552c99caf75f9371 |
| SHA1 | f1dcc7d9805738aaf1f30b32383674ea30706269 |
| SHA256 | 057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf |
| SHA512 | 638594b7228a8e747c34f1ab7916774feaff1ce58e875e64bb28cc6742472a305c5aa06e709ec708aad990d9e78ce828509af8a575b3fe62082699de1bb81734 |
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | a0b9574aca19808a588e1fd996cd2833 |
| SHA1 | 0d6963cff9a899898a0015a37151a7a6390ea727 |
| SHA256 | ccb9592997bf91936138f0c037a1bee30f2e9236869eadc17e23da3d86457390 |
| SHA512 | 85e90012578075e571ec0f04480d09368b5891bf6511ffa544c139a7e9aa7fb1e755807a2db72c962a79a9e910efb92c9906bb07061fb8b3da068a3661284d94 |
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | 12661c6cccda04f3a4719c9b72a86abc |
| SHA1 | 0e8c6150b6c71e6e5422cc5547ad52745e8083e7 |
| SHA256 | a1cc70e70b85a820f970a82ce1c58524e4c15052f6b1db4620e67374eb17ba2a |
| SHA512 | fe8b1771cefaf501d69e3cf1295e8174c13d8d9569684b2537aa373f89d2ea252f5c8215bc3d1aac9055938f7f45a3673ca0791f332c909eac9f605d01093a08 |
\Users\Admin\AppData\Local\Temp\nst36CA.tmp\System.dll
| MD5 | cf85183b87314359488b850f9e97a698 |
| SHA1 | 6b6c790037eec7ebea4d05590359cb4473f19aea |
| SHA256 | 3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac |
| SHA512 | fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b |
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | 45ebd74a4d9e6c8c6353ac7763420a80 |
| SHA1 | 857492613707b3560a517c37312af9d972b5a99c |
| SHA256 | 2db87e5584d782872e760ed647480763508ecf5e97aaa37c3060dbd6eb987123 |
| SHA512 | f90b1ea000531b4aa9aa1212273c91fd73dfd7145ec59b7d16c184273d08207a89da33b1e7f5e09d1b38eafc103cad81a255ded5274095632b87cc3253ac443f |
memory/3148-53882-0x0000000000400000-0x0000000001462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3AC0.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/3148-61397-0x0000000000400000-0x0000000001462000-memory.dmp
memory/3192-61402-0x0000000000400000-0x0000000001462000-memory.dmp
C:\Users\Admin\Desktop\factura 563423\chagul\Sluttidspunktets.ace
| MD5 | 27a799752643f5e96c57957dd115f836 |
| SHA1 | c25dbe476573cbb94df8cb43cbbb7446e57b5bd4 |
| SHA256 | 6770149a0d8af75d3d8df950cf3d1a8475fc73e60ef9e3bd03ad04a2001035e7 |
| SHA512 | fc46c8bd1186b0381e0f4679cb0844456dde98e62c47888c4eefdddc34c56274ab739c21c1dad4c75473a74a188698d9a268e07cd66c33464619ff6094ccf66f |
C:\Users\Admin\Desktop\factura 563423\chagul\Hjortetakkens.pro
| MD5 | 87a52f4e6ce72e090d982511c93e363e |
| SHA1 | c6a263c8afd9d2fc60fc7a07a8449f8a8cbd713d |
| SHA256 | 838472456a1b5905bec73fe10a4afc9a09c01dfa3ff108deb1ceb57fac83718f |
| SHA512 | 1d1f3973faebb73c0989d3fc991adad9f444ca36f7ea2c5fc0443769fde9e11c6eb1cbd2c6143c5da9167f2176c298d169a828b466826a6fde68e61961387b58 |
C:\Users\Admin\Desktop\factura 563423\Objektiviseringen\Hematomancy42.txt
| MD5 | 4da37058224bd7b59229bb611e105f39 |
| SHA1 | 1da82b8c8f86e54f744aff64c798e84d1c70e4eb |
| SHA256 | 4f6eb70f672b677aaa6a534a1bfe8834e2608b72957d57df8089665816ddd90e |
| SHA512 | f839f7fbfedd517cf9a9c253ced6641f1d7cdb69694ba6ed939500ff99fe5247976c09ec915675d8691c04b80ba2f8e49068b4f916904bde994b4051abe3e98e |
C:\Users\Admin\Desktop\factura 563423\Objektiviseringen\Rvegraves.rej
| MD5 | 84523a696370eab2f84cc398ffd50054 |
| SHA1 | 9279a88692c419da715b74828f456ef4756ee7a0 |
| SHA256 | 8bf70ce6c463271b6bb4e259d1cbf5ae228751ccf95c5b69756cbeb9de60be95 |
| SHA512 | 40d04c68c156e120eef4463962d0dfb96e48a86709a3f162c4c1aa2c840f6058881ccda0d9006c35bbbe5bdde40eb27b1ddc0f71262cd682f37601992d9d853a |
C:\Users\Admin\Desktop\factura 563423\chagul\Fortovs\southwestern.gor
| MD5 | 79ad4943801e304b83e39774d00ed227 |
| SHA1 | e3ed1c0c871e490194fad68584d401104e0d2bd6 |
| SHA256 | 1c0cc2363d16826b2c8d36d983e883e3d81e12df8456e3512bf80e7de28c9583 |
| SHA512 | 497dc447dd0bd52479445e7fce633427e17dcb02546e876b9ad6945a2c1186de20c26f7ea324ebb8608bf76b16846b738c8fba138004da07a7494e743e925481 |
C:\Users\Admin\Desktop\factura 563423\chagul\programdels.fla
| MD5 | b0f8a54823350c2f31d2bb230615afb1 |
| SHA1 | 6f46b1e8491247556108d37809870f0c34fb0f7f |
| SHA256 | f7161357b945d6764d2c290af7f7290c1c00a08aaaac622b45e2719ac6a50968 |
| SHA512 | 957b98b57883b2d56186a2ac17582453d092f8ef84ac360d16c3e3ee4bc28100537df84d0f30ae880298657404e45ba29761814a5e3cf16c90510cb8175a63a3 |
C:\Users\Admin\Desktop\factura 563423\chagul\momentousments.afr
| MD5 | c6cca0bf9fb8cc569e1edbb70f5ab95e |
| SHA1 | fa9a3e70d31a5009f0d63d88ea8d224763936862 |
| SHA256 | 705a96fff4440f49a231e8d17b289d97786ec373aa5b39fdad48b410dca53ea8 |
| SHA512 | efa09455d16f63322bd81986aeccc65aeab92a601aa11eb68725afcb3f61965510ffea65bb87a89a0123263189e6a4200958582f135b3c5bb0a023fddda35911 |
C:\Users\Admin\Desktop\factura 563423\chagul\legaliserende.tro
| MD5 | a372469d5ea672a9c76fdcfe1127b8df |
| SHA1 | 25129be715c8a42ececfc70330e29a8bb7d21e14 |
| SHA256 | 3eb84177ebd5ca99880fee24652579f356008c29ff31e8e0f157693c3e16cc69 |
| SHA512 | 15179350720dec225250a113603e1b7d9f11d7556365dcf61f150d775ddfdb930fd08079f6d933c108d3748e63118b5d5d7017b2f29657af6ff07eb826d36d20 |
C:\Users\Admin\Desktop\factura 563423\chagul\crappin.fan
| MD5 | e2701f9b21e2e3383c23d42a8a80f0cd |
| SHA1 | b48623eb7f31a6e559cb276cec52b8629f28688f |
| SHA256 | 4cbc5303baa96a022304acac34ad9cbf9db661e89bf603ca872b0f38e2c7f3b7 |
| SHA512 | c3d53de9228dbcc8498be846562a4630a35a321bab5344bd2ca4452b8c161405785a65ad2425b8764c0e95479f230fd8f78bf5501cad820deba8e5563621a122 |
memory/3148-62233-0x0000000000400000-0x0000000001462000-memory.dmp
memory/3148-62232-0x0000000000400000-0x0000000001462000-memory.dmp
memory/3192-62234-0x0000000000400000-0x0000000001462000-memory.dmp
memory/3192-92813-0x0000000000400000-0x0000000001462000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-24 15:47
Reported
2024-10-24 15:49
Platform
win10v2004-20241007-en
Max time kernel
132s
Max time network
126s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PTHAV002_2024-10-24_15_43_35.016.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-24 15:47
Reported
2024-10-24 15:49
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\oecus\svante.Eft | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2432 set thread context of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\sankthansaftnerne\clodpoll.saf | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 456
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.178.14:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.73:80 | crl.microsoft.com | tcp |
Files
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | c6fd1538cea9d4df087e2d323d7704d1 |
| SHA1 | ab425391c84cdbfa97dcbcc132251574ad2d214b |
| SHA256 | 99ef8ab7d11ea63fb02550b0882a4a2a537374449d44782bc504a8dedc00bdfc |
| SHA512 | adcad143ac989da96ed754875c4e999ee25d5c97c423b2503c7c1b7bee6c998c27483d22cdf85a90c7a8b23f93122652688ea383c1cc19589912af0bfb6188f9 |
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | 3f645fe4b4adce1d1472df12098eff41 |
| SHA1 | 7a0765c17cbf95a6e4b9cefc58cd1680da327b76 |
| SHA256 | 3d2ab3b3b6bab614b83a710c24bcddc0a468ad5347e47d11658b83ddcffb56c0 |
| SHA512 | 0df3d528004da1ddaabddd1e6f732e98905837e8f512bbd4bbed57e6d3c28a04ba85b3372372e9b4ac6a9420b564dde931601ae18ad3b84039eb4ea1b4caaf41 |
\Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\System.dll
| MD5 | cf85183b87314359488b850f9e97a698 |
| SHA1 | 6b6c790037eec7ebea4d05590359cb4473f19aea |
| SHA256 | 3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac |
| SHA512 | fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b |
memory/2432-24644-0x00000000034C0000-0x0000000004D2B000-memory.dmp
memory/2432-24645-0x0000000077181000-0x0000000077282000-memory.dmp
memory/2432-24646-0x0000000077180000-0x0000000077329000-memory.dmp
memory/2432-24647-0x00000000034C0000-0x0000000004D2B000-memory.dmp
memory/980-24648-0x0000000000400000-0x0000000001462000-memory.dmp
memory/980-24649-0x0000000077180000-0x0000000077329000-memory.dmp
memory/980-24671-0x0000000000400000-0x0000000001462000-memory.dmp
memory/980-24670-0x0000000000400000-0x0000000001462000-memory.dmp
memory/980-24672-0x0000000000400000-0x0000000001462000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-24 15:47
Reported
2024-10-24 15:50
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\oecus\svante.Eft | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4600 set thread context of 1140 | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\sankthansaftnerne\clodpoll.saf | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1140 -ip 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.178.14:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.178.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\Desktop\peripheries.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\nsqC8BF.tmp\System.dll
| MD5 | cf85183b87314359488b850f9e97a698 |
| SHA1 | 6b6c790037eec7ebea4d05590359cb4473f19aea |
| SHA256 | 3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac |
| SHA512 | fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b |
memory/4600-24644-0x0000000003300000-0x0000000004B6B000-memory.dmp
memory/4600-24645-0x0000000077D41000-0x0000000077E61000-memory.dmp
memory/4600-24646-0x0000000010004000-0x0000000010005000-memory.dmp
memory/4600-24647-0x0000000003300000-0x0000000004B6B000-memory.dmp
memory/1140-24648-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1140-24649-0x0000000001660000-0x0000000002ECB000-memory.dmp
memory/1140-24650-0x0000000077DC8000-0x0000000077DC9000-memory.dmp
memory/1140-24651-0x0000000077DE5000-0x0000000077DE6000-memory.dmp
memory/1140-24664-0x0000000001660000-0x0000000002ECB000-memory.dmp
memory/1140-24666-0x0000000000401000-0x0000000000404000-memory.dmp
memory/1140-24665-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1140-24667-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1140-24669-0x0000000077D41000-0x0000000077E61000-memory.dmp
memory/1140-24668-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1140-24670-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1140-24671-0x0000000000400000-0x0000000001654000-memory.dmp
memory/1140-24672-0x0000000001660000-0x0000000002ECB000-memory.dmp
memory/1140-24673-0x0000000000401000-0x0000000000404000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-24 15:47
Reported
2024-10-24 15:49
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 224
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-24 15:47
Reported
2024-10-24 15:50
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4500 wrote to memory of 4956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4500 wrote to memory of 4956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4500 wrote to memory of 4956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4956 -ip 4956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |