Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 14:33
Static task
static1
Behavioral task
behavioral1
Sample
60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Laryngectomize/Listeprisernes.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Laryngectomize/Listeprisernes.ps1
Resource
win10v2004-20241007-en
General
-
Target
60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe
-
Size
836KB
-
MD5
2b89f539fc49781f2fc6d8debf491c90
-
SHA1
227e1d6ff55aac9d09a30050cbe7acabd6df2968
-
SHA256
60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690
-
SHA512
bd8a5af726503b17ec860745a4adf39c85c4be92a7c4e545318538bbc52e0f3052d207fe600e5d88cb8a04256867bcb4ae6d541518ed3136afe7c5ce2ae2de02
-
SSDEEP
24576:OXhejYBQ1sKjVdXgf9lHWstDV8ScB0RpVCg5Ev7ixMmJ:CtKjV6f9lHltDVbcmPoixr
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 4356 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 3176 Auktionslederen.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 21 drive.google.com 22 drive.google.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4356 powershell.exe 3176 Auktionslederen.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\chagrinets.lnk 60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe File opened for modification C:\Program Files (x86)\Common Files\chagrinets.lnk 60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\delarbejders\inhabilitetssprgsmaalene.ini 60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Auktionslederen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0003000000022ae8-230.dat nsis_installer_1 behavioral2/files/0x0003000000022ae8-230.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4356 powershell.exe 4356 powershell.exe 4356 powershell.exe 4356 powershell.exe 4356 powershell.exe 4356 powershell.exe 4356 powershell.exe 4356 powershell.exe 4356 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 4356 powershell.exe Token: SeIncreaseQuotaPrivilege 4356 powershell.exe Token: SeSecurityPrivilege 4356 powershell.exe Token: SeTakeOwnershipPrivilege 4356 powershell.exe Token: SeLoadDriverPrivilege 4356 powershell.exe Token: SeSystemProfilePrivilege 4356 powershell.exe Token: SeSystemtimePrivilege 4356 powershell.exe Token: SeProfSingleProcessPrivilege 4356 powershell.exe Token: SeIncBasePriorityPrivilege 4356 powershell.exe Token: SeCreatePagefilePrivilege 4356 powershell.exe Token: SeBackupPrivilege 4356 powershell.exe Token: SeRestorePrivilege 4356 powershell.exe Token: SeShutdownPrivilege 4356 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeSystemEnvironmentPrivilege 4356 powershell.exe Token: SeRemoteShutdownPrivilege 4356 powershell.exe Token: SeUndockPrivilege 4356 powershell.exe Token: SeManageVolumePrivilege 4356 powershell.exe Token: 33 4356 powershell.exe Token: 34 4356 powershell.exe Token: 35 4356 powershell.exe Token: 36 4356 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2784 wrote to memory of 4356 2784 60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe 86 PID 2784 wrote to memory of 4356 2784 60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe 86 PID 2784 wrote to memory of 4356 2784 60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe 86 PID 4356 wrote to memory of 3176 4356 powershell.exe 95 PID 4356 wrote to memory of 3176 4356 powershell.exe 95 PID 4356 wrote to memory of 3176 4356 powershell.exe 95 PID 4356 wrote to memory of 3176 4356 powershell.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe"C:\Users\Admin\AppData\Local\Temp\60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w hidden "$Ungorgeous=Get-Content -raw 'C:\Users\Admin\AppData\Local\vareindkbet\bodements\quickies\Laryngectomize\Listeprisernes.Fak';$Sierran=$Ungorgeous.SubString(54789,3);.$Sierran($Ungorgeous)2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\Auktionslederen.exe"C:\Users\Admin\AppData\Local\Temp\Auktionslederen.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3176
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
956B
MD51e9e9033a77e0168f7944921905276e6
SHA168624a0e703f58bc2873f1805a08dbfa8bdd2c42
SHA25683550b52ea7957371853be2dcb8f02125620ea53d126eea71955b9b370c4a06d
SHA5127dab10c4d40c2a8da4e9161c25754f6c6c29664b77bbb042f9e15afc084ea66798535c37eddadb0ea022a337fc996396064113da3986902ba18fb37b7432bea2
-
Filesize
836KB
MD52b89f539fc49781f2fc6d8debf491c90
SHA1227e1d6ff55aac9d09a30050cbe7acabd6df2968
SHA25660f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690
SHA512bd8a5af726503b17ec860745a4adf39c85c4be92a7c4e545318538bbc52e0f3052d207fe600e5d88cb8a04256867bcb4ae6d541518ed3136afe7c5ce2ae2de02
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
53KB
MD5e4f72073cc7b121ef1e77875b5c3aa40
SHA1eb3ace1b3dd416dbcdec1ae6a1ee3d20227ae6fd
SHA2560a8ab46fd80e222c9f3e2ec4cf38c67ae7adf4f09e40709bbba2c2e3ee785f43
SHA512662b9d35f71c99eea7187332363de7d6ea3ab54e1e6b0800f2162b6984949fdf7bebecf26d8db89a9438e532a2d2229a5110b201d814a1853d851f229065306a
-
Filesize
204KB
MD53f8c986efc0c25642797068ec56320dc
SHA1f781efdca141d96eb6163d963f2a72a35fc64f4d
SHA25605d699c35dd1118abe3175121c09fc653d03780944ffecd3e9c77b7dfa1bd00f
SHA5120181b609fd76322daf4c937b1b01233ddac229b29a6efe5b0688b1df913ad92fe41dc12d9321d3626f8dcf728f11032a6ca9e04996c22adaa344b277d06fcd8a