Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 08:04
Static task
static1
Behavioral task
behavioral1
Sample
1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe
Resource
win10v2004-en-20220113
General
-
Target
1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe
-
Size
80KB
-
MD5
950483bcaff55045d695761e386cb514
-
SHA1
9a4cf1caf2bd6082883c24f6e4d6b98fffed71f0
-
SHA256
1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe
-
SHA512
90f8aed09c42fad97194bd1c4b787af72cae287e35516635ff4cfb92072340dd970d3e67182d8d5ab8662d6aa2b2cfc4b756aa17f04ba79b477c72ab56026900
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1UnZE1_XDcad5DW8fsVFD8K1ZYDla2tyn
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1572-59-0x0000000000240000-0x000000000024A000-memory.dmp family_guloader behavioral1/memory/868-65-0x00000000002F0000-0x00000000003F0000-memory.dmp family_guloader -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce RegAsm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PREDIVIDEN = "C:\\Users\\Admin\\DIGEGREVE\\botryt.exe" RegAsm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exeRegAsm.exepid process 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe 868 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exedescription pid process target process PID 1572 set thread context of 868 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exepid process 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exepid process 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exedescription pid process target process PID 1572 wrote to memory of 868 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe RegAsm.exe PID 1572 wrote to memory of 868 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe RegAsm.exe PID 1572 wrote to memory of 868 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe RegAsm.exe PID 1572 wrote to memory of 868 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe RegAsm.exe PID 1572 wrote to memory of 868 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe RegAsm.exe PID 1572 wrote to memory of 868 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe RegAsm.exe PID 1572 wrote to memory of 868 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe RegAsm.exe PID 1572 wrote to memory of 868 1572 1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe"C:\Users\Admin\AppData\Local\Temp\1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/868-65-0x00000000002F0000-0x00000000003F0000-memory.dmpFilesize
1024KB
-
memory/868-66-0x0000000076D30000-0x0000000076ED9000-memory.dmpFilesize
1.7MB
-
memory/868-67-0x0000000076F10000-0x0000000077090000-memory.dmpFilesize
1.5MB
-
memory/1572-58-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB
-
memory/1572-59-0x0000000000240000-0x000000000024A000-memory.dmpFilesize
40KB
-
memory/1572-60-0x0000000076D30000-0x0000000076ED9000-memory.dmpFilesize
1.7MB
-
memory/1572-61-0x0000000076F10000-0x0000000077090000-memory.dmpFilesize
1.5MB