Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-04-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
cb03fe75572bc1d3406e9b3cda1e782e.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
cb03fe75572bc1d3406e9b3cda1e782e.exe
Resource
win10v20210410
General
-
Target
cb03fe75572bc1d3406e9b3cda1e782e.exe
-
Size
160KB
-
MD5
cb03fe75572bc1d3406e9b3cda1e782e
-
SHA1
d66bb237393370460edb2f32b3a696823f9bc9f4
-
SHA256
19bf54b5145b7080462d1f459dd88a6c7b8f6eb815be116651ad9016939777f0
-
SHA512
d4509419b97b105554ebfa27826afbf407ba6a41e89275f1fd6f28c120076a9e99965cac78fd41b63e6918d92176a9c6cd7414af904e395d6165e536a8d236d9
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Guloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1820-62-0x00000000002E0000-0x00000000002EA000-memory.dmp family_guloader behavioral1/memory/1628-65-0x00000000000E0000-0x00000000001E0000-memory.dmp family_guloader behavioral1/memory/1628-66-0x00000000000E0000-mapping.dmp family_guloader -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exeieinstal.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe cb03fe75572bc1d3406e9b3cda1e782e.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Teoridannel9 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HYPERBRACH\\alcoabagtungenh.exe" ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exeieinstal.exepid process 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe 1628 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exedescription pid process target process PID 1820 set thread context of 1628 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exepid process 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exepid process 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cb03fe75572bc1d3406e9b3cda1e782e.exedescription pid process target process PID 1820 wrote to memory of 1628 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 1820 wrote to memory of 1628 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 1820 wrote to memory of 1628 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 1820 wrote to memory of 1628 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 1820 wrote to memory of 1628 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 1820 wrote to memory of 1628 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 1820 wrote to memory of 1628 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe PID 1820 wrote to memory of 1628 1820 cb03fe75572bc1d3406e9b3cda1e782e.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb03fe75572bc1d3406e9b3cda1e782e.exe"C:\Users\Admin\AppData\Local\Temp\cb03fe75572bc1d3406e9b3cda1e782e.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Users\Admin\AppData\Local\Temp\cb03fe75572bc1d3406e9b3cda1e782e.exe"2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1628-65-0x00000000000E0000-0x00000000001E0000-memory.dmpFilesize
1024KB
-
memory/1628-66-0x00000000000E0000-mapping.dmp
-
memory/1820-62-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/1820-64-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB