Overview

overview

10

Static

static

1

60f7c2d61a...90.exe

windows7-x64

8

60f7c2d61a...90.exe

windows10-2004-x64

10

Laryngecto...es.ps1

windows7-x64

3

Laryngecto...es.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 02:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe

  • Size

    836KB

  • MD5

    2b89f539fc49781f2fc6d8debf491c90

  • SHA1

    227e1d6ff55aac9d09a30050cbe7acabd6df2968

  • SHA256

    60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690

  • SHA512

    bd8a5af726503b17ec860745a4adf39c85c4be92a7c4e545318538bbc52e0f3052d207fe600e5d88cb8a04256867bcb4ae6d541518ed3136afe7c5ce2ae2de02

  • SSDEEP

    24576:OXhejYBQ1sKjVdXgf9lHWstDV8ScB0RpVCg5Ev7ixMmJ:CtKjV6f9lHltDVbcmPoixr

Score
10/10
guloaderdiscoverydownloaderexecution

Malware Config

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe
    "C:\Users\Admin\AppData\Local\Temp\60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -w hidden "$Ungorgeous=Get-Content -raw 'C:\Users\Admin\AppData\Local\vareindkbet\bodements\quickies\Laryngectomize\Listeprisernes.Fak';$Sierran=$Ungorgeous.SubString(54789,3);.$Sierran($Ungorgeous)
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Users\Admin\AppData\Local\Temp\Auktionslederen.exe
        "C:\Users\Admin\AppData\Local\Temp\Auktionslederen.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:1608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\chagrinets.lnk
    Filesize

    960B

    MD5

    ec6ff37f3b4dbaea395ebf77c1364e4e

    SHA1

    ecf7dccfe476061aa298ec728e6a03d7e4521a9c

    SHA256

    85d890414c18126bad17f1ea51cbd81a88bf67ebc25c731f7e478cdfec8ce9c8

    SHA512

    b1003c867a54ce887314ff1d86c083e67759143eeacc3fdb2b0082aff35f0394e3f0d7a92a04ac7ca2dda8c3faf7aad4adaffc3f5c953accc031239c70f76629

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Auktionslederen.exe
    Filesize

    836KB

    MD5

    2b89f539fc49781f2fc6d8debf491c90

    SHA1

    227e1d6ff55aac9d09a30050cbe7acabd6df2968

    SHA256

    60f7c2d61a09e10204c2c6b359f2d87f3714ebff676a92d38da0af160c738690

    SHA512

    bd8a5af726503b17ec860745a4adf39c85c4be92a7c4e545318538bbc52e0f3052d207fe600e5d88cb8a04256867bcb4ae6d541518ed3136afe7c5ce2ae2de02

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vtrdnvx.bjj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\vareindkbet\bodements\quickies\Laryngectomize\Listeprisernes.Fak
    Filesize

    53KB

    MD5

    e4f72073cc7b121ef1e77875b5c3aa40

    SHA1

    eb3ace1b3dd416dbcdec1ae6a1ee3d20227ae6fd

    SHA256

    0a8ab46fd80e222c9f3e2ec4cf38c67ae7adf4f09e40709bbba2c2e3ee785f43

    SHA512

    662b9d35f71c99eea7187332363de7d6ea3ab54e1e6b0800f2162b6984949fdf7bebecf26d8db89a9438e532a2d2229a5110b201d814a1853d851f229065306a

    Download Submit

  • C:\Users\Admin\AppData\Local\vareindkbet\bodements\quickies\forsknnendes.tri
    Filesize

    204KB

    MD5

    3f8c986efc0c25642797068ec56320dc

    SHA1

    f781efdca141d96eb6163d963f2a72a35fc64f4d

    SHA256

    05d699c35dd1118abe3175121c09fc653d03780944ffecd3e9c77b7dfa1bd00f

    SHA512

    0181b609fd76322daf4c937b1b01233ddac229b29a6efe5b0688b1df913ad92fe41dc12d9321d3626f8dcf728f11032a6ca9e04996c22adaa344b277d06fcd8a

    Download Submit

  • memory/1472-210-0x00000000079B0000-0x00000000079CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1472-212-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-178-0x0000000005F60000-0x0000000005FC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1472-176-0x00000000057D0000-0x00000000057F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1472-188-0x00000000060D0000-0x0000000006424000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1472-189-0x0000000006590000-0x00000000065AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1472-190-0x00000000065D0000-0x000000000661C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1472-191-0x0000000007560000-0x00000000075F6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1472-192-0x0000000006A90000-0x0000000006AAA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1472-193-0x0000000006AE0000-0x0000000006B02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1472-194-0x0000000007BE0000-0x0000000008184000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1472-175-0x0000000005930000-0x0000000005F58000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1472-196-0x0000000008810000-0x0000000008E8A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1472-199-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1472-198-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-197-0x00000000079D0000-0x0000000007A02000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1472-200-0x0000000070100000-0x0000000070454000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1472-174-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-211-0x0000000007A20000-0x0000000007AC3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1472-177-0x0000000005870000-0x00000000058D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1472-213-0x0000000007B40000-0x0000000007B4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1472-214-0x0000000007B90000-0x0000000007BBA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1472-215-0x00000000082D0000-0x00000000082F4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1472-216-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-218-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-173-0x0000000002C50000-0x0000000002C86000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1472-220-0x0000000073B1E000-0x0000000073B1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1472-221-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-222-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-223-0x0000000008E90000-0x0000000009DF0000-memory.dmp

    Filesize

    15.4MB

    Download

  • memory/1472-224-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-225-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-226-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-228-0x0000000073B10000-0x00000000742C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1472-172-0x0000000073B1E000-0x0000000073B1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1608-230-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1608-231-0x0000000001660000-0x00000000025C0000-memory.dmp

    Filesize

    15.4MB

    Download

  • memory/1608-245-0x0000000001660000-0x00000000025C0000-memory.dmp

    Filesize

    15.4MB

    Download

  • memory/1608-244-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download