Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 02:03
Static task
static1
Behavioral task
behavioral1
Sample
63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe
Resource
win10v20210410
General
-
Target
63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe
-
Size
96KB
-
MD5
6069bf9742a8ce15f44e35405c861540
-
SHA1
f3a763465ca3f12b00955d3a1d017b3a2d47049d
-
SHA256
63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd
-
SHA512
7b3e467510d93f3c65d893fee5d58aba66754543232df8d1c05fa32a96299cb8a5df49a89fac469e784f1625cb70c26802fd799ca5c6e5095b334c1c04c462a1
Malware Config
Extracted
guloader
http://172.93.162.253/bin_WJoRuvaovF116.bin
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1672-61-0x0000000000270000-0x000000000027D000-memory.dmp family_guloader -
Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state 63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exepid process 1672 63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exepid process 1672 63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe"C:\Users\Admin\AppData\Local\Temp\63b5c9b0e21398b428814cc2f391397ce81342682a0be100c5d5d50a846d56cd.exe"1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1672-61-0x0000000000270000-0x000000000027D000-memory.dmpFilesize
52KB