Analysis
-
max time kernel
8s -
max time network
43s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-05-2021 19:10
Static task
static1
Behavioral task
behavioral1
Sample
9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe
Resource
win10v20210410
General
-
Target
9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe
-
Size
140KB
-
MD5
7deecd28ccb949d5c855dacc980298f2
-
SHA1
3a5cdb7227fdf47ded4ff1fe1dd38cfa502eea84
-
SHA256
9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8
-
SHA512
f1d1b66497bd2deea07392cdafe5a07284cdbba2e9e9c17978d35a7094d605b40e525222759e64d473d13b0356e344c0e3efed16bc5a6e14b380b67b5c9b452b
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=16HNLjxnV8VDMTThcctq09H1-RlR7b_vX
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/788-62-0x00000000003C0000-0x00000000003CA000-memory.dmp family_guloader -
Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state 9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exepid process 788 9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exepid process 788 9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe"C:\Users\Admin\AppData\Local\Temp\9cf082ab9112e7e03fcbfa7d20a1f7c10c4eaafd8fe2c59aef527dc8dac58ef8.exe"1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/788-62-0x00000000003C0000-0x00000000003CA000-memory.dmpFilesize
40KB