Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Catchpoleship.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Catchpoleship.ps1
Resource
win10v2004-20241007-en
General
-
Target
5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe
-
Size
545KB
-
MD5
6fa8bc297f2359d3cd35fc1ef12c1b9e
-
SHA1
b6be96971f04dd616e399a2cad14d49e08623036
-
SHA256
5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af
-
SHA512
baec2716fc69dc58a2eea22458ef6ab10825beb537bbdb9ec727d6086ea0cdff06136f709173c01a6643ef6bfc717e04e6de285862a5a6d5e9e3d9c9a6529793
-
SSDEEP
6144:VPXc3AQYxRhND7QZ+Z4jeRZEkzu5PdT0qsTbKqN1Z+i1Sl9DsZ+cBcomv6rb2:iuRT7QZ+Zj4kq25Cl9DsZ+URr
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1244 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 1868 Yieldableness.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 26 drive.google.com 27 drive.google.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1244 powershell.exe 1868 Yieldableness.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\omflakkende\reparationsvrkstedernes.Clu 5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Yieldableness.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0003000000022ae8-63.dat nsis_installer_1 behavioral2/files/0x0003000000022ae8-63.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1244 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1244 powershell.exe Token: SeIncreaseQuotaPrivilege 1244 powershell.exe Token: SeSecurityPrivilege 1244 powershell.exe Token: SeTakeOwnershipPrivilege 1244 powershell.exe Token: SeLoadDriverPrivilege 1244 powershell.exe Token: SeSystemProfilePrivilege 1244 powershell.exe Token: SeSystemtimePrivilege 1244 powershell.exe Token: SeProfSingleProcessPrivilege 1244 powershell.exe Token: SeIncBasePriorityPrivilege 1244 powershell.exe Token: SeCreatePagefilePrivilege 1244 powershell.exe Token: SeBackupPrivilege 1244 powershell.exe Token: SeRestorePrivilege 1244 powershell.exe Token: SeShutdownPrivilege 1244 powershell.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeSystemEnvironmentPrivilege 1244 powershell.exe Token: SeRemoteShutdownPrivilege 1244 powershell.exe Token: SeUndockPrivilege 1244 powershell.exe Token: SeManageVolumePrivilege 1244 powershell.exe Token: 33 1244 powershell.exe Token: 34 1244 powershell.exe Token: 35 1244 powershell.exe Token: 36 1244 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1244 1696 5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe 85 PID 1696 wrote to memory of 1244 1696 5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe 85 PID 1696 wrote to memory of 1244 1696 5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe 85 PID 1244 wrote to memory of 1868 1244 powershell.exe 96 PID 1244 wrote to memory of 1868 1244 powershell.exe 96 PID 1244 wrote to memory of 1868 1244 powershell.exe 96 PID 1244 wrote to memory of 1868 1244 powershell.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe"C:\Users\Admin\AppData\Local\Temp\5a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w hidden "$Realindkomster=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\trossamfund\Enwreathing253\fejningen\Catchpoleship.Ter';$Pamfiliussernes173=$Realindkomster.SubString(57686,3);.$Pamfiliussernes173($Realindkomster)2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\Yieldableness.exe"C:\Users\Admin\AppData\Local\Temp\Yieldableness.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1868
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
545KB
MD56fa8bc297f2359d3cd35fc1ef12c1b9e
SHA1b6be96971f04dd616e399a2cad14d49e08623036
SHA2565a99c490bd9b35a1efe9c4233023dc37641f78b67e34632c9833ec8c06c3c4af
SHA512baec2716fc69dc58a2eea22458ef6ab10825beb537bbdb9ec727d6086ea0cdff06136f709173c01a6643ef6bfc717e04e6de285862a5a6d5e9e3d9c9a6529793
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
56KB
MD5bea0253bd1d370c8bcc515e8ff7bb6e9
SHA19b1443ba1094479087b73d1999cbadfb8e2eacbd
SHA256844e8c95af74d9b8b7ee184a61f16ce1221679b84556cb78b9acab1d0fb9936b
SHA5121930e412af035f6a4ba452b3af21ba77c316fb757d32250fe343e648b3bee421c495f2607f3549cd20e1a079f9934a0ab5f7a7af0b648742ecd00b1f9e0c18be
-
Filesize
207KB
MD581683ea1765b7075c738e7fba1794fa4
SHA1da45097f2b5b5ba038eaa51efc4968e649d37a2d
SHA2563d7177dde287ae15c3a6ae7ed394c7afb2ba3ceb2b8af4a614ab61c87663cab3
SHA5127ff1edb4a9419a5cee58ec0102815b741cca84e75c11cd5324c68228eddec64d0c50bd7c78baf79bf6b793421812a36caf5435943cbc616da00688ab5415b7c1