Analysis
-
max time kernel
110s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 22:57
Static task
static1
Behavioral task
behavioral1
Sample
Comprobante de transferencia.pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Comprobante de transferencia.pdf.exe
Resource
win10-en-20211208
General
-
Target
Comprobante de transferencia.pdf.exe
-
Size
48KB
-
MD5
fc0557257080e207819d005d257833f8
-
SHA1
5a7d76b52983a8babcfec637c0319a15c2dce22e
-
SHA256
72b08b2bc289e7665a1701f07f6e366898ceb61fa289007187fded38834267f3
-
SHA512
c036a1f635bf2adab66c2e29176cca3b1fde4f8319e1f09c562fef8aacf5ad99f61f8036ede90a10d86f6bf56eb67d36528780caa48f8ee8787b8a10e03eddd7
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=185yfGKZexOdEd7mpzk2cg-0hQHnY6XWe
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2712-116-0x00000000029A0000-0x00000000029A7000-memory.dmp family_guloader behavioral2/memory/3508-119-0x0000000000F00000-0x0000000001100000-memory.dmp family_guloader -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Comprobante de transferencia.pdf.exeRegAsm.exepid process 2712 Comprobante de transferencia.pdf.exe 3508 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Comprobante de transferencia.pdf.exedescription pid process target process PID 2712 set thread context of 3508 2712 Comprobante de transferencia.pdf.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Comprobante de transferencia.pdf.exepid process 2712 Comprobante de transferencia.pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Comprobante de transferencia.pdf.exepid process 2712 Comprobante de transferencia.pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Comprobante de transferencia.pdf.exedescription pid process target process PID 2712 wrote to memory of 3508 2712 Comprobante de transferencia.pdf.exe RegAsm.exe PID 2712 wrote to memory of 3508 2712 Comprobante de transferencia.pdf.exe RegAsm.exe PID 2712 wrote to memory of 3508 2712 Comprobante de transferencia.pdf.exe RegAsm.exe PID 2712 wrote to memory of 3508 2712 Comprobante de transferencia.pdf.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Comprobante de transferencia.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Comprobante de transferencia.pdf.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\Comprobante de transferencia.pdf.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2712-116-0x00000000029A0000-0x00000000029A7000-memory.dmpFilesize
28KB
-
memory/2712-117-0x00007FFBACF00000-0x00007FFBAD0DB000-memory.dmpFilesize
1.9MB
-
memory/2712-118-0x0000000077000000-0x000000007718E000-memory.dmpFilesize
1.6MB
-
memory/3508-119-0x0000000000F00000-0x0000000001100000-memory.dmpFilesize
2.0MB
-
memory/3508-120-0x00007FFBACF00000-0x00007FFBAD0DB000-memory.dmpFilesize
1.9MB
-
memory/3508-121-0x0000000077000000-0x000000007718E000-memory.dmpFilesize
1.6MB