Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-07-2021 10:57
Static task
static1
Behavioral task
behavioral1
Sample
Despacho_de_informacion.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Despacho_de_informacion.doc
Resource
win10v20210410
General
-
Target
Despacho_de_informacion.doc
-
Size
178KB
-
MD5
d51027ccc08c7a7bf42e481e85196136
-
SHA1
02abd7025f5e3a721676714410c66fc5b8d95f22
-
SHA256
38473a7da74c7513b8b26550778e6c10337bfa0c8037a5ec1040200c324dcc5b
-
SHA512
008279cd4e860de0279b66eac71e2b9da31418e566d2e8f6be4e59cfdb7f192614aaeb838d1a3fea151804ec0f2fac6b093127fe1c8cdfc86c9caacfa69f0fc4
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
PQMYHDUMN.exepid process 3200 PQMYHDUMN.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3944 WINWORD.EXE 3944 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 3944 WINWORD.EXE 3944 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEPQMYHDUMN.exepid process 3944 WINWORD.EXE 3944 WINWORD.EXE 3944 WINWORD.EXE 3944 WINWORD.EXE 3944 WINWORD.EXE 3944 WINWORD.EXE 3944 WINWORD.EXE 3200 PQMYHDUMN.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3944 wrote to memory of 3200 3944 WINWORD.EXE PQMYHDUMN.exe PID 3944 wrote to memory of 3200 3944 WINWORD.EXE PQMYHDUMN.exe PID 3944 wrote to memory of 3200 3944 WINWORD.EXE PQMYHDUMN.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Despacho_de_informacion.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PQMYHDUMN.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PQMYHDUMN.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PQMYHDUMN.exeMD5
1d0e9d6e32cc4fb843df30b40fb3b0b9
SHA1ac2344b40eef61eb1bfc845b3aa521f6c1f61d4c
SHA256762b2ef80d674e85ebbd092a060a3dc787195af38bb85c4ac4774fcf320fd665
SHA512bb09b63307356414347593063b646f0fa2e6cf37907964051eae95e96b781885c5abc374d2913ef03c472186ba7e0d2f7914fc27e9c04767efff91406c2ef94b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PQMYHDUMN.exeMD5
1d0e9d6e32cc4fb843df30b40fb3b0b9
SHA1ac2344b40eef61eb1bfc845b3aa521f6c1f61d4c
SHA256762b2ef80d674e85ebbd092a060a3dc787195af38bb85c4ac4774fcf320fd665
SHA512bb09b63307356414347593063b646f0fa2e6cf37907964051eae95e96b781885c5abc374d2913ef03c472186ba7e0d2f7914fc27e9c04767efff91406c2ef94b
-
memory/3200-271-0x0000000000000000-mapping.dmp
-
memory/3200-283-0x00000000006F0000-0x0000000000719000-memory.dmpFilesize
164KB
-
memory/3944-114-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmpFilesize
64KB
-
memory/3944-115-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmpFilesize
64KB
-
memory/3944-116-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmpFilesize
64KB
-
memory/3944-117-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmpFilesize
64KB
-
memory/3944-119-0x00007FFDF5C60000-0x00007FFDF5C70000-memory.dmpFilesize
64KB
-
memory/3944-118-0x00007FFE17710000-0x00007FFE1A233000-memory.dmpFilesize
43.1MB
-
memory/3944-122-0x00007FFE12520000-0x00007FFE1360E000-memory.dmpFilesize
16.9MB
-
memory/3944-123-0x00007FFE0EEB0000-0x00007FFE10DA5000-memory.dmpFilesize
31.0MB