Overview

overview

10

Static

static

3

AMENDED CO...df.exe

windows7-x64

7

AMENDED CO...df.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AMENDED CONTRACT-pdf.exe

  • Size

    749KB

  • MD5

    0dd2464556b15a0110a61fbb9c059fd7

  • SHA1

    85dc6648297ce3a175c87f90ad87c0c19940f7ec

  • SHA256

    ec718f7c0b27972083cd3990267d68a2cebd76b6fcaa224c44f3b165d95125f3

  • SHA512

    7a46b3ac69acdc85cfd54be576144035ef844cb64ac4a918735e1bf96fd1785e9c2d13e6d93424689397e3a89b879385638d3d96386d9ba49742b69271f4e23c

  • SSDEEP

    12288:TA4AyshjrfD3NfhN3ImdnkOMR4vejLiuLbKc+z6ps:TA4A/hfDJ3IokOMR4vaiu68s

Score
10/10
guloaderdownloaderexecution

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AMENDED CONTRACT-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\AMENDED CONTRACT-pdf.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized "$hydroxamic=Get-Content 'C:\Users\Admin\AppData\Roaming\Njeregnende130\Ramular.Ung';$Rammes=$hydroxamic.SubString(51368,3);.$Rammes($hydroxamic)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Users\Admin\AppData\Local\Temp\Bagmndene.bat
        "C:\Users\Admin\AppData\Local\Temp\Bagmndene.bat"
        3⤵
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Bagmndene.bat
    Filesize

    749KB

    MD5

    0dd2464556b15a0110a61fbb9c059fd7

    SHA1

    85dc6648297ce3a175c87f90ad87c0c19940f7ec

    SHA256

    ec718f7c0b27972083cd3990267d68a2cebd76b6fcaa224c44f3b165d95125f3

    SHA512

    7a46b3ac69acdc85cfd54be576144035ef844cb64ac4a918735e1bf96fd1785e9c2d13e6d93424689397e3a89b879385638d3d96386d9ba49742b69271f4e23c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4nwsium.2ku.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsw3F0D.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    b5a1f9dc73e2944a388a61411bdd8c70

    SHA1

    dc9b20df3f3810c2e81a0c54dea385704ba8bef7

    SHA256

    288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

    SHA512

    b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Njeregnende130\Pandekagernes.Ste
    Filesize

    293KB

    MD5

    60dc1196d4762f2c6fde8783aa072411

    SHA1

    de2d6b73353192f255adea46d0d15ef90481c46e

    SHA256

    ca4c1efd5b5a9176d74c4b609af10dd3f8ee3e0c8b0f18db6132ef21d1c0036a

    SHA512

    0e6212d34f51f34c06a73a4a41355444b45a3ba005792eb7c0e5f67c3927509a0ef29dc8b04f90382fcbd0240a641f430a31fb5187874b26d0a656397292a404

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Njeregnende130\Ramular.Ung
    Filesize

    50KB

    MD5

    bbb874e352104ce1877463082844e0fe

    SHA1

    0bcdaa64d2d73bb02a234c01250e4c1a01685982

    SHA256

    8596f717c16cd7f6b8da94bc3dbaa08419f5945018763c8fac4fca4de284f3d8

    SHA512

    43806040375f8a67de74beac471d5e90924883eaa35a1f71701a477e4085049cf1b39f9e0f17a0cf3b624236b73cb531b85040e4421535e509f181fa3598d390

    Download Submit
  • memory/2088-53-0x0000000001660000-0x0000000002540000-memory.dmp
    Filesize

    14.9MB

    Download
  • memory/2088-50-0x0000000000400000-0x0000000001654000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2088-46-0x0000000001660000-0x0000000002540000-memory.dmp
    Filesize

    14.9MB

    Download
  • memory/2088-45-0x0000000000400000-0x0000000001654000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2332-33-0x0000000008B30000-0x00000000091AA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2332-38-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-26-0x00000000068A0000-0x00000000068BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2332-27-0x00000000068E0000-0x000000000692C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2332-30-0x0000000006E00000-0x0000000006E22000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2332-29-0x0000000006D80000-0x0000000006D9A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2332-28-0x0000000007860000-0x00000000078F6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2332-31-0x0000000007F00000-0x00000000084A4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2332-12-0x00000000058C0000-0x00000000058E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2332-17-0x0000000006220000-0x0000000006286000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2332-35-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-36-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-14-0x00000000061B0000-0x0000000006216000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2332-21-0x0000000006290000-0x00000000065E4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2332-40-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-39-0x00000000091B0000-0x000000000A090000-memory.dmp
    Filesize

    14.9MB

    Download
  • memory/2332-42-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-13-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-43-0x0000000073B9E000-0x0000000073B9F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2332-10-0x00000000059D0000-0x0000000005FF8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2332-11-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-48-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-49-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-9-0x0000000005300000-0x0000000005336000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2332-52-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2332-8-0x0000000073B9E000-0x0000000073B9F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2332-58-0x0000000073B90000-0x0000000074340000-memory.dmp
    Filesize

    7.7MB

    Download