Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:15
Static task
static1
Behavioral task
behavioral1
Sample
B2020006307357.PDF...exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
B2020006307357.PDF...exe
Resource
win10-en-20211208
General
-
Target
B2020006307357.PDF...exe
-
Size
52KB
-
MD5
42e026716bcf95406beca59b834a1432
-
SHA1
9474067350e0211faff4eb0c14dc2982897ee6f9
-
SHA256
1dd138afd050e4d29b20494c3bd607685295f2cd8217c1e6ddd9b47e54961f38
-
SHA512
01873ec441a283c55948052c4a835c7fd5246f695ed955239168dc583299c1bf58536f80d77e0a4c76e19ca04e51ef9ce927c806489bf1b122d0b6ad44d1df9b
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1nxID3cbZ3N3YCfZ5Mt-WYptrBK_9HFWH
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1444-59-0x0000000000360000-0x0000000000368000-memory.dmp family_guloader behavioral1/memory/1084-62-0x0000000000270000-0x00000000003E0000-memory.dmp family_guloader -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
B2020006307357.PDF...exeRegAsm.exepid process 1444 B2020006307357.PDF...exe 1084 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
B2020006307357.PDF...exedescription pid process target process PID 1444 set thread context of 1084 1444 B2020006307357.PDF...exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
B2020006307357.PDF...exepid process 1444 B2020006307357.PDF...exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
B2020006307357.PDF...exepid process 1444 B2020006307357.PDF...exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
B2020006307357.PDF...exedescription pid process target process PID 1444 wrote to memory of 1084 1444 B2020006307357.PDF...exe RegAsm.exe PID 1444 wrote to memory of 1084 1444 B2020006307357.PDF...exe RegAsm.exe PID 1444 wrote to memory of 1084 1444 B2020006307357.PDF...exe RegAsm.exe PID 1444 wrote to memory of 1084 1444 B2020006307357.PDF...exe RegAsm.exe PID 1444 wrote to memory of 1084 1444 B2020006307357.PDF...exe RegAsm.exe PID 1444 wrote to memory of 1084 1444 B2020006307357.PDF...exe RegAsm.exe PID 1444 wrote to memory of 1084 1444 B2020006307357.PDF...exe RegAsm.exe PID 1444 wrote to memory of 1084 1444 B2020006307357.PDF...exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B2020006307357.PDF...exe"C:\Users\Admin\AppData\Local\Temp\B2020006307357.PDF...exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\B2020006307357.PDF...exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1084-62-0x0000000000270000-0x00000000003E0000-memory.dmpFilesize
1.4MB
-
memory/1084-63-0x00000000773A0000-0x0000000077549000-memory.dmpFilesize
1.7MB
-
memory/1444-56-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1444-59-0x0000000000360000-0x0000000000368000-memory.dmpFilesize
32KB
-
memory/1444-60-0x00000000773A0000-0x0000000077549000-memory.dmpFilesize
1.7MB
-
memory/1444-61-0x0000000077580000-0x0000000077700000-memory.dmpFilesize
1.5MB