Analysis
-
max time kernel
139s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-05-2021 16:09
Static task
static1
Behavioral task
behavioral1
Sample
50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe
Resource
win10v20210410
General
-
Target
50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe
-
Size
108KB
-
MD5
c1bbb80a3a9617259a87b1be77215c97
-
SHA1
1f176833a49f04aff11ed74580b5dfc725cf20bd
-
SHA256
50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af
-
SHA512
3046ffd635074341d28924b480d0d62bcaff798f92aaf36ec1980de4e27f93a01494720fece7bbd1e3115c5568b281034a791949f46554003b6ad008f0e60604
Malware Config
Extracted
guloader
https://www.mediafire.com/file/bg09a2z8p0ojruh/origin_dwqUQLYCkO21.bin/file
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4048-116-0x0000000002250000-0x000000000225A000-memory.dmp family_guloader -
Checks QEMU agent state file 2 TTPs 1 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state 50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exepid process 4048 50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exepid process 4048 50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe"C:\Users\Admin\AppData\Local\Temp\50867b76113d37d59ecb36a9704bc4bac648e474853c4052cea1b5fb36f807af.exe"1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4048-116-0x0000000002250000-0x000000000225A000-memory.dmpFilesize
40KB