Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 14:08
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
gunzipped.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
gunzipped.exe
-
Size
212KB
-
MD5
e8caac54776eac6e3740c9c8426486df
-
SHA1
d6720055a125da5922be71b69b3a4078a49642ea
-
SHA256
d75c69a49a30595964989b72499ec0e303ff42a0e2a334dda22a9cd9fd7e8ba5
-
SHA512
0e16cb730971d507c9767b953c2d320b9b5a8099b736bcb42e92435d13cf77083ad2a98bf23a42af53c36907c29949f30f4e1e548662a76adb877487549f5bea
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2116-116-0x00000000021D0000-0x00000000021DD000-memory.dmp family_guloader behavioral2/memory/1504-117-0x0000000000401FBC-mapping.dmp family_guloader behavioral2/memory/1504-120-0x0000000000560000-0x0000000000660000-memory.dmp family_guloader -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
gunzipped.exegunzipped.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe gunzipped.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe gunzipped.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
gunzipped.exegunzipped.exepid process 2116 gunzipped.exe 1504 gunzipped.exe 1504 gunzipped.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunzipped.exedescription pid process target process PID 2116 set thread context of 1504 2116 gunzipped.exe gunzipped.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gunzipped.exepid process 2116 gunzipped.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gunzipped.exepid process 2116 gunzipped.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
gunzipped.exedescription pid process target process PID 2116 wrote to memory of 1504 2116 gunzipped.exe gunzipped.exe PID 2116 wrote to memory of 1504 2116 gunzipped.exe gunzipped.exe PID 2116 wrote to memory of 1504 2116 gunzipped.exe gunzipped.exe PID 2116 wrote to memory of 1504 2116 gunzipped.exe gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-117-0x0000000000401FBC-mapping.dmp
-
memory/1504-118-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/1504-119-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/1504-120-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/1504-122-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1504-121-0x0000000000401000-0x0000000000541000-memory.dmpFilesize
1.2MB
-
memory/2116-116-0x00000000021D0000-0x00000000021DD000-memory.dmpFilesize
52KB