Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-04-2021 12:04
Static task
static1
Behavioral task
behavioral1
Sample
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe
Resource
win10v20210408
General
-
Target
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe
-
Size
156KB
-
MD5
d5b8e2ce449917bf395454082de6cba9
-
SHA1
fe872c03ceef39422218003bc5a34be4faf47e55
-
SHA256
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4
-
SHA512
54dc37f2345a4b70786920c80adf8c1fc72c9ab97edf95b239453c081ab221134fbbc8ae8d8fd3ce635d4b3aec8f42fbc44005930e917e10e1a72cbd5e442e48
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1100-62-0x00000000002E0000-0x00000000002ED000-memory.dmp family_guloader behavioral1/memory/1360-65-0x0000000000D4CE5E-mapping.dmp family_guloader behavioral1/memory/1360-67-0x0000000000270000-0x0000000000370000-memory.dmp family_guloader -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exeRegAsm.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe RegAsm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exeRegAsm.exepid process 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe 1360 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exedescription pid process target process PID 1100 set thread context of 1360 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exepid process 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exepid process 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exedescription pid process target process PID 1100 wrote to memory of 1360 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 1100 wrote to memory of 1360 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 1100 wrote to memory of 1360 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 1100 wrote to memory of 1360 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 1100 wrote to memory of 1360 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 1100 wrote to memory of 1360 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 1100 wrote to memory of 1360 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe PID 1100 wrote to memory of 1360 1100 981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe"C:\Users\Admin\AppData\Local\Temp\981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1100-62-0x00000000002E0000-0x00000000002ED000-memory.dmpFilesize
52KB
-
memory/1100-64-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/1360-65-0x0000000000D4CE5E-mapping.dmp
-
memory/1360-67-0x0000000000270000-0x0000000000370000-memory.dmpFilesize
1024KB