Analysis
-
max time kernel
166s -
max time network
188s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Proforma Invoice.exe
Resource
win10-en-20211208
General
-
Target
Proforma Invoice.exe
-
Size
64KB
-
MD5
d09f1e15cbc187edc5792c61d8670a09
-
SHA1
2b7059a6964b634dd7bb372b5e62c38887b8e93d
-
SHA256
3561b08594d47d1c827ef76518197472532bfae0ffb9329711f51dc0ee9bdf2a
-
SHA512
f5c4436dc0dc002785d6574614ed2f9d2b3b175f3e14fa546dd131736d2cc263de289dd818940c5a61ca536616b48b69a0245698f2cdef6e5f2a4bc450fdec27
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1t2kWSyeWJ0Nxuf3Q0XWr6hhlOTDB_4Og
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Proforma Invoice.exeProforma Invoice.exepid process 348 Proforma Invoice.exe 3280 Proforma Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proforma Invoice.exedescription pid process target process PID 348 set thread context of 3280 348 Proforma Invoice.exe Proforma Invoice.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Proforma Invoice.exepid process 348 Proforma Invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Proforma Invoice.exepid process 348 Proforma Invoice.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Proforma Invoice.exedescription pid process target process PID 348 wrote to memory of 3280 348 Proforma Invoice.exe Proforma Invoice.exe PID 348 wrote to memory of 3280 348 Proforma Invoice.exe Proforma Invoice.exe PID 348 wrote to memory of 3280 348 Proforma Invoice.exe Proforma Invoice.exe PID 348 wrote to memory of 3280 348 Proforma Invoice.exe Proforma Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/348-117-0x00000000029B0000-0x00000000029B8000-memory.dmpFilesize
32KB
-
memory/348-118-0x00007FF908730000-0x00007FF90890B000-memory.dmpFilesize
1.9MB
-
memory/348-119-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1.6MB
-
memory/3280-120-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/3280-122-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/3280-123-0x0000000000560000-0x0000000000820000-memory.dmpFilesize
2.8MB
-
memory/3280-124-0x00007FF908730000-0x00007FF90890B000-memory.dmpFilesize
1.9MB
-
memory/3280-125-0x0000000077570000-0x00000000776FE000-memory.dmpFilesize
1.6MB