Overview
overview
10Static
static
3a77c2d0242...eb.exe
windows7-x64
10a77c2d0242...eb.exe
windows10-2004-x64
8$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240611-en
General
-
Target
a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe
-
Size
648KB
-
MD5
af7493a9e9ea9a5181ebc8ba0c3bb7bc
-
SHA1
809de7c88d3a53a4ec803c37e232c12037c48911
-
SHA256
a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb
-
SHA512
214bef965ff2a8113c05fd371173c72fd94c36e9bfefc102858d2aab4c0f2c0f03773835405d1e489f5ce73243cb2b5b84d256a90d5cc5a8356dfce9b45b1226
-
SSDEEP
6144:z9KOQS4B4GMSGJpFhsiivgUroam4nt5wf1CEH/+57/B0wU683FbyZc3q64drI1RJ:zsB4GOsPoamI4dCEm5750wUB3F+xxw
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 4 IoCs
Processes:
a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exepid process 2276 a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe 2276 a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe 2276 a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe 2276 a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Schultz = "%Enterotomy% -windowstyle minimized $Mesopleural=(Get-ItemProperty -Path 'HKCU:\\Duerne16\\').Bureaukratisme;%Enterotomy% ($Mesopleural)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2140 wab.exe 2140 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 1968 powershell.exe 2140 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1968 set thread context of 2140 1968 powershell.exe wab.exe -
Drops file in Windows directory 1 IoCs
Processes:
a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exedescription ioc process File opened for modification C:\Windows\Fonts\anorakkerne.ini a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1968 powershell.exe 1968 powershell.exe 1968 powershell.exe 1968 powershell.exe 1968 powershell.exe 1968 powershell.exe 1968 powershell.exe 1968 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1968 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exepowershell.exewab.execmd.exedescription pid process target process PID 2276 wrote to memory of 1968 2276 a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe powershell.exe PID 2276 wrote to memory of 1968 2276 a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe powershell.exe PID 2276 wrote to memory of 1968 2276 a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe powershell.exe PID 2276 wrote to memory of 1968 2276 a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe powershell.exe PID 1968 wrote to memory of 2140 1968 powershell.exe wab.exe PID 1968 wrote to memory of 2140 1968 powershell.exe wab.exe PID 1968 wrote to memory of 2140 1968 powershell.exe wab.exe PID 1968 wrote to memory of 2140 1968 powershell.exe wab.exe PID 1968 wrote to memory of 2140 1968 powershell.exe wab.exe PID 1968 wrote to memory of 2140 1968 powershell.exe wab.exe PID 2140 wrote to memory of 2192 2140 wab.exe cmd.exe PID 2140 wrote to memory of 2192 2140 wab.exe cmd.exe PID 2140 wrote to memory of 2192 2140 wab.exe cmd.exe PID 2140 wrote to memory of 2192 2140 wab.exe cmd.exe PID 2192 wrote to memory of 2876 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2876 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2876 2192 cmd.exe reg.exe PID 2192 wrote to memory of 2876 2192 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe"C:\Users\Admin\AppData\Local\Temp\a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Falmedes=Get-Content 'C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Indstningernes.Svi';$Almuten=$Falmedes.SubString(68669,3);.$Almuten($Falmedes)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Schultz" /t REG_EXPAND_SZ /d "%Enterotomy% -windowstyle minimized $Mesopleural=(Get-ItemProperty -Path 'HKCU:\Duerne16\').Bureaukratisme;%Enterotomy% ($Mesopleural)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Schultz" /t REG_EXPAND_SZ /d "%Enterotomy% -windowstyle minimized $Mesopleural=(Get-ItemProperty -Path 'HKCU:\Duerne16\').Bureaukratisme;%Enterotomy% ($Mesopleural)"5⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Gyptologiske.UdlFilesize
334KB
MD5736d09ecac96c2df1113a1a8cba47a69
SHA1e335b76dafc2a78ff57db7bb2cbaf84c0a5aeb81
SHA256848eeb17eac68ad07de0c7deee17f38a5e9fbe41c105323fccd7138770384167
SHA512bd51abcdb99d5df07da84e862d93ebd6d9940f112f602a550a492dfbcc9e7ab75233b10716f123b95f3bc2ac528a327bba75c82779a4966327a1cae0e38a306c
-
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Indstningernes.SviFilesize
67KB
MD5aa8fd270726e1b8912b67cfd401820dd
SHA12368c97236dcca147773e395eeca9501a805888c
SHA2560f70c603d4b3a4aa5790a4caf3514dc0860b2203c7c2ef4aac1be3e40cef385a
SHA5123aa23daa46c6d712bbff250fc38002fede249419f10cd2be909e20e095d7320d8f4792cf42009038cd95c7b448ea16a5d0c0fab1823e0fb8f28827827a55f299
-
C:\Users\Admin\Pictures\slukningen.lnkFilesize
1006B
MD53612876b415285fccaa750f476301984
SHA10747e72dfa185fd5915bcd3aa43297af01aa00ab
SHA25674f386dc3850854e67a71eea3d1757e460fe4961ec8237535241ca0de4cdde7b
SHA5125b24f566522fe88a570df8c7b00a5bd2941b1c2fb6d3285cff0cec0506e49616a2686cbef2b7ebf48a3bc51a4432334c184ff23fe440e733c25a6acd379a83c9
-
\Users\Admin\AppData\Local\Temp\nsdFE1E.tmp\AdvSplash.dllFilesize
6KB
MD56def2cf3daf850acdc1a3e7340a439c4
SHA195d0d26f60cd5af697502cd5e53a54913ab188fb
SHA2563ec3cf21a99ab0533ec2c451df3b5542733f70b972089d5c321ad7ae3b87d175
SHA51216b1cf4783284d4a1282c569f5c416c713b4b339efcd4d3948bdf7da2194c597bd732d07ba9fabafcab323ba8c8da68845d4435ab9d1916b1810087ee1f5c413
-
\Users\Admin\AppData\Local\Temp\nsdFE1E.tmp\BgImage.dllFilesize
7KB
MD52bb17d45e5ad92053ce1e500408dd8a9
SHA1f5d3a7ee6e28df532e9ce33976c92ff30a5665e4
SHA25671ce676703dad028e4083e6b960b1ed89885877079d46d5021506eaa6d99db53
SHA512efdcb476b9b9b5691fe6b9cd77ecbe48d50c6683da01fd51c6b428cc262528fb3dcd295abe28718321b2307b0e032fcb599588f1eb00a93fd9e6a1f7b322b41f
-
\Users\Admin\AppData\Local\Temp\nsdFE1E.tmp\UserInfo.dllFilesize
4KB
MD58ef0e4eb7c89cdd2b552de746f5e2a53
SHA1820f681e7cec409a02b194a487d1c8af1038acf0
SHA25641293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc
SHA512a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5
-
\Users\Admin\AppData\Local\Temp\nsdFE1E.tmp\nsExec.dllFilesize
6KB
MD5c129bc26a26be6f5816a03520bb37833
SHA118100042155f948301701744b131c516bf26ddb8
SHA256d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4
SHA512dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63
-
memory/1968-158-0x0000000073BB0000-0x000000007415B000-memory.dmpFilesize
5.7MB
-
memory/1968-159-0x0000000073BB0000-0x000000007415B000-memory.dmpFilesize
5.7MB
-
memory/1968-160-0x0000000073BB0000-0x000000007415B000-memory.dmpFilesize
5.7MB
-
memory/1968-161-0x0000000073BB0000-0x000000007415B000-memory.dmpFilesize
5.7MB
-
memory/1968-157-0x0000000073BB1000-0x0000000073BB2000-memory.dmpFilesize
4KB
-
memory/1968-164-0x0000000073BB0000-0x000000007415B000-memory.dmpFilesize
5.7MB
-
memory/1968-166-0x0000000073BB0000-0x000000007415B000-memory.dmpFilesize
5.7MB
-
memory/1968-167-0x00000000066E0000-0x000000000A02D000-memory.dmpFilesize
57.3MB
-
memory/1968-168-0x0000000073BB0000-0x000000007415B000-memory.dmpFilesize
5.7MB
-
memory/2140-190-0x00000000017A0000-0x00000000050ED000-memory.dmpFilesize
57.3MB