Analysis
-
max time kernel
16s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-07-2021 23:28
Static task
static1
Behavioral task
behavioral1
Sample
b931d8035a682f8a20e7d22f2a3eb583.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b931d8035a682f8a20e7d22f2a3eb583.exe
Resource
win10v20210408
General
-
Target
b931d8035a682f8a20e7d22f2a3eb583.exe
-
Size
204KB
-
MD5
b931d8035a682f8a20e7d22f2a3eb583
-
SHA1
0beed11d5ff54eaefae2409c8379472ded8fb22b
-
SHA256
88fc32a54543077e4f66df43eb5f41c908de966d843e5cc3b55298e8a12ed3f4
-
SHA512
2fd87cd381843a06cdfb054803bc88492b58d23a9b06be9bc2e803e85cd515ab09b8238c868c7f9112eea17deccad0e8be717610f3962b696c5542ecd006bc96
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
UNCONC~1.EXEpid process 1836 UNCONC~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b931d8035a682f8a20e7d22f2a3eb583.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b931d8035a682f8a20e7d22f2a3eb583.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b931d8035a682f8a20e7d22f2a3eb583.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
UNCONC~1.EXEpid process 1836 UNCONC~1.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b931d8035a682f8a20e7d22f2a3eb583.exedescription pid process target process PID 992 wrote to memory of 1836 992 b931d8035a682f8a20e7d22f2a3eb583.exe UNCONC~1.EXE PID 992 wrote to memory of 1836 992 b931d8035a682f8a20e7d22f2a3eb583.exe UNCONC~1.EXE PID 992 wrote to memory of 1836 992 b931d8035a682f8a20e7d22f2a3eb583.exe UNCONC~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b931d8035a682f8a20e7d22f2a3eb583.exe"C:\Users\Admin\AppData\Local\Temp\b931d8035a682f8a20e7d22f2a3eb583.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNCONC~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNCONC~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNCONC~1.EXEMD5
d02d27c34545bc0b69ec291fbe5b872f
SHA15131370c2af88e34ab023026e166329971c2e6ce
SHA2562c05003672f05ef6ac4a45270bd555d721d26b8b3f191b45ef07a55de60e861d
SHA5120ebff991d0f312db8edbf8e021497c2df76f649edb1bbc9dab19bb0980e608ce3d5a763aa10ca3800f13ab28c11e52583ff2ccaec6bb8484a676266114bc905e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNCONC~1.EXEMD5
d02d27c34545bc0b69ec291fbe5b872f
SHA15131370c2af88e34ab023026e166329971c2e6ce
SHA2562c05003672f05ef6ac4a45270bd555d721d26b8b3f191b45ef07a55de60e861d
SHA5120ebff991d0f312db8edbf8e021497c2df76f649edb1bbc9dab19bb0980e608ce3d5a763aa10ca3800f13ab28c11e52583ff2ccaec6bb8484a676266114bc905e
-
memory/1836-114-0x0000000000000000-mapping.dmp
-
memory/1836-119-0x00000000006B0000-0x00000000006DA000-memory.dmpFilesize
168KB