Overview

overview

10

Static

static

5995 MALAY...DF.exe

windows7_x64

10

5995 MALAY...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    08-12-2021 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5995 MALAYSIA SDN BHD PAYMENT RECEIPTS 071221_PDF.exe

  • Size

    160KB

  • MD5

    2b3c647a9f8df6a8095d8d151d4bb8cb

  • SHA1

    2304fc250c02fc342ad838aeaf47072039c5cda3

  • SHA256

    539e74bd0c03ccd3fe00e95ee29c3ada84e5aa46216449c665b3890b81dcf0cc

  • SHA512

    675fe8a5b5d1f4f38677c6ccbb5e4e29a1869171ae05684989bc6da3386b0c7ff77e7d389863612234623857cdd1fd4094adadfe748101c11f7554d3d51e296b

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5995 MALAYSIA SDN BHD PAYMENT RECEIPTS 071221_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\5995 MALAYSIA SDN BHD PAYMENT RECEIPTS 071221_PDF.exe"
    1⤵
    • Checks QEMU agent file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Users\Admin\AppData\Local\Temp\5995 MALAYSIA SDN BHD PAYMENT RECEIPTS 071221_PDF.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3516-115-0x0000000000590000-0x0000000000596000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3516-116-0x0000000000590000-0x000000000059A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3516-117-0x00000000006A0000-0x00000000006B6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/3516-119-0x00000000775E0000-0x000000007776E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3516-118-0x00007FFA2E760000-0x00007FFA2E93B000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/3516-162-0x00000000775E0000-0x000000007776E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3776-121-0x0000000003200000-mapping.dmp
    Download
  • memory/3776-123-0x0000000003430000-0x0000000003431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3776-122-0x0000000003430000-0x0000000003431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3776-124-0x0000000003430000-0x0000000003431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3776-120-0x0000000003200000-0x0000000003300000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/3776-1333-0x00007FFA2E760000-0x00007FFA2E93B000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/3776-1335-0x00000000775E0000-0x000000007776E000-memory.dmp
    Filesize

    1.6MB

    Download