Analysis
-
max time kernel
158s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
Resource
win10-en-20211208
General
-
Target
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
-
Size
52KB
-
MD5
61ce777555ee4d591ff151e0927ab8d4
-
SHA1
3c5a6a8825101a71d2372f5c6961861ef1b4223f
-
SHA256
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
-
SHA512
3783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628
Malware Config
Extracted
guloader
https://share.dmca.gripe/hUZTLm0ETh86oDEL.bin
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
filename1.exepid process 1644 filename1.exe -
Loads dropped DLL 3 IoCs
Processes:
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exepid process 584 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 584 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 1208 filename1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\subfolder1\\filename1.vbs" 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce filename1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\subfolder1\\filename1.vbs" filename1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exefilename1.exepid process 1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 584 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 1644 filename1.exe 1208 filename1.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exedescription pid process target process PID 1940 set thread context of 584 1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe PID 1644 set thread context of 1208 1644 filename1.exe filename1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exepid process 1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 1644 filename1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exepid process 1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 1644 filename1.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exedescription pid process target process PID 1940 wrote to memory of 584 1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe PID 1940 wrote to memory of 584 1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe PID 1940 wrote to memory of 584 1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe PID 1940 wrote to memory of 584 1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe PID 1940 wrote to memory of 584 1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe PID 584 wrote to memory of 1644 584 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe filename1.exe PID 584 wrote to memory of 1644 584 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe filename1.exe PID 584 wrote to memory of 1644 584 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe filename1.exe PID 584 wrote to memory of 1644 584 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe filename1.exe PID 1644 wrote to memory of 1208 1644 filename1.exe filename1.exe PID 1644 wrote to memory of 1208 1644 filename1.exe filename1.exe PID 1644 wrote to memory of 1208 1644 filename1.exe filename1.exe PID 1644 wrote to memory of 1208 1644 filename1.exe filename1.exe PID 1644 wrote to memory of 1208 1644 filename1.exe filename1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe"C:\Users\Admin\AppData\Local\Temp\29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe"C:\Users\Admin\AppData\Local\Temp\29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\subfolder1\filename1.exe"C:\Users\Admin\subfolder1\filename1.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\subfolder1\filename1.exe"C:\Users\Admin\subfolder1\filename1.exe"4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\subfolder1\filename1.exeMD5
61ce777555ee4d591ff151e0927ab8d4
SHA13c5a6a8825101a71d2372f5c6961861ef1b4223f
SHA25629367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
SHA5123783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628
-
C:\Users\Admin\subfolder1\filename1.exeMD5
61ce777555ee4d591ff151e0927ab8d4
SHA13c5a6a8825101a71d2372f5c6961861ef1b4223f
SHA25629367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
SHA5123783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628
-
C:\Users\Admin\subfolder1\filename1.exeMD5
61ce777555ee4d591ff151e0927ab8d4
SHA13c5a6a8825101a71d2372f5c6961861ef1b4223f
SHA25629367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
SHA5123783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628
-
\Users\Admin\subfolder1\filename1.exeMD5
61ce777555ee4d591ff151e0927ab8d4
SHA13c5a6a8825101a71d2372f5c6961861ef1b4223f
SHA25629367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
SHA5123783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628
-
\Users\Admin\subfolder1\filename1.exeMD5
61ce777555ee4d591ff151e0927ab8d4
SHA13c5a6a8825101a71d2372f5c6961861ef1b4223f
SHA25629367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
SHA5123783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628
-
memory/584-59-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/584-66-0x00000000001B0000-0x0000000000400000-memory.dmpFilesize
2.3MB
-
memory/584-67-0x00000000773F0000-0x0000000077599000-memory.dmpFilesize
1.7MB
-
memory/584-68-0x00000000775D0000-0x0000000077750000-memory.dmpFilesize
1.5MB
-
memory/1208-87-0x00000000775D0000-0x0000000077750000-memory.dmpFilesize
1.5MB
-
memory/1208-86-0x00000000773F0000-0x0000000077599000-memory.dmpFilesize
1.7MB
-
memory/1208-85-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1644-78-0x0000000000280000-0x0000000000288000-memory.dmpFilesize
32KB
-
memory/1644-80-0x00000000773F0000-0x0000000077599000-memory.dmpFilesize
1.7MB
-
memory/1644-82-0x00000000775D0000-0x0000000077750000-memory.dmpFilesize
1.5MB
-
memory/1940-57-0x0000000075431000-0x0000000075433000-memory.dmpFilesize
8KB
-
memory/1940-63-0x00000000775D0000-0x0000000077750000-memory.dmpFilesize
1.5MB
-
memory/1940-60-0x00000000773F0000-0x0000000077599000-memory.dmpFilesize
1.7MB
-
memory/1940-58-0x0000000000310000-0x0000000000318000-memory.dmpFilesize
32KB