Analysis
-
max time kernel
127s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 18:52
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1.exe
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
1.exe
-
Size
112KB
-
MD5
ae871d1957030344d4cefc7295a1e964
-
SHA1
73e0d642d14ca3dcfca3d22fa2312968d1ba5cd6
-
SHA256
6f8a836d10eada55bb1d3901ceb5b97711afc9f7018e3bd0f0a8e77521f18e5b
-
SHA512
bc5a39f9a86bc6d461c32a947a61d7bbd0dd8ae93700bc9e3e984b33df6b9a0fac0e8dd71ca50e8dcfee9314bd00824fd4ec507c66e22e4bd20c1edf0dad4679
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
1.exe1.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 1.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
1.exe1.exepid process 1132 1.exe 2236 1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1.exedescription pid process target process PID 1132 set thread context of 2236 1132 1.exe 1.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1.exepid process 1132 1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1.exepid process 1132 1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1.exedescription pid process target process PID 1132 wrote to memory of 2236 1132 1.exe 1.exe PID 1132 wrote to memory of 2236 1132 1.exe 1.exe PID 1132 wrote to memory of 2236 1132 1.exe 1.exe PID 1132 wrote to memory of 2236 1132 1.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1132-117-0x0000000002380000-0x0000000002393000-memory.dmpFilesize
76KB
-
memory/1132-118-0x00007FFE2E720000-0x00007FFE2E8FB000-memory.dmpFilesize
1.9MB
-
memory/1132-119-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/1132-121-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB
-
memory/2236-120-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/2236-123-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/2236-124-0x0000000000560000-0x0000000000710000-memory.dmpFilesize
1.7MB
-
memory/2236-125-0x00007FFE2E720000-0x00007FFE2E8FB000-memory.dmpFilesize
1.9MB
-
memory/2236-126-0x0000000077DE0000-0x0000000077F6E000-memory.dmpFilesize
1.6MB