Analysis
-
max time kernel
146s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
sgemaskine.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
sgemaskine.exe
Resource
win10v2004-20220414-en
General
-
Target
sgemaskine.exe
-
Size
84KB
-
MD5
050e6cb50c426c5f50cf018b296d3df5
-
SHA1
1dcb50669df7d7856b6c8248c81a057640c26d84
-
SHA256
9e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
-
SHA512
22fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1nJFzy3bHUwUvYTEcawaRZ_EVi8Bn13Js
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
ABOVEG.batpid process 1208 ABOVEG.bat -
Checks QEMU agent state file 2 TTPs 4 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
sgemaskine.exesgemaskine.exeABOVEG.batABOVEG.batdescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state sgemaskine.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state sgemaskine.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state ABOVEG.bat File opened (read-only) C:\ProgramData\qemu-ga\qga.state ABOVEG.bat -
Loads dropped DLL 4 IoCs
Processes:
sgemaskine.exeABOVEG.batABOVEG.batpid process 1340 sgemaskine.exe 1340 sgemaskine.exe 1208 ABOVEG.bat 2028 ABOVEG.bat -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
sgemaskine.exeABOVEG.batdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce sgemaskine.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Rgskysgr6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tilkbene\\ABOVEG.vbs" sgemaskine.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ABOVEG.bat Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Rgskysgr6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tilkbene\\ABOVEG.vbs" ABOVEG.bat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
sgemaskine.exesgemaskine.exeABOVEG.batABOVEG.batpid process 748 sgemaskine.exe 1340 sgemaskine.exe 1208 ABOVEG.bat 2028 ABOVEG.bat -
Suspicious use of SetThreadContext 2 IoCs
Processes:
sgemaskine.exeABOVEG.batdescription pid process target process PID 748 set thread context of 1340 748 sgemaskine.exe sgemaskine.exe PID 1208 set thread context of 2028 1208 ABOVEG.bat ABOVEG.bat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sgemaskine.exeABOVEG.batpid process 748 sgemaskine.exe 1208 ABOVEG.bat -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
sgemaskine.exeABOVEG.batpid process 748 sgemaskine.exe 1208 ABOVEG.bat -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
sgemaskine.exesgemaskine.exeABOVEG.batdescription pid process target process PID 748 wrote to memory of 1340 748 sgemaskine.exe sgemaskine.exe PID 748 wrote to memory of 1340 748 sgemaskine.exe sgemaskine.exe PID 748 wrote to memory of 1340 748 sgemaskine.exe sgemaskine.exe PID 748 wrote to memory of 1340 748 sgemaskine.exe sgemaskine.exe PID 748 wrote to memory of 1340 748 sgemaskine.exe sgemaskine.exe PID 1340 wrote to memory of 1208 1340 sgemaskine.exe ABOVEG.bat PID 1340 wrote to memory of 1208 1340 sgemaskine.exe ABOVEG.bat PID 1340 wrote to memory of 1208 1340 sgemaskine.exe ABOVEG.bat PID 1340 wrote to memory of 1208 1340 sgemaskine.exe ABOVEG.bat PID 1208 wrote to memory of 2028 1208 ABOVEG.bat ABOVEG.bat PID 1208 wrote to memory of 2028 1208 ABOVEG.bat ABOVEG.bat PID 1208 wrote to memory of 2028 1208 ABOVEG.bat ABOVEG.bat PID 1208 wrote to memory of 2028 1208 ABOVEG.bat ABOVEG.bat PID 1208 wrote to memory of 2028 1208 ABOVEG.bat ABOVEG.bat
Processes
-
C:\Users\Admin\AppData\Local\Temp\sgemaskine.exe"C:\Users\Admin\AppData\Local\Temp\sgemaskine.exe"1⤵
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sgemaskine.exe"C:\Users\Admin\AppData\Local\Temp\sgemaskine.exe"2⤵
- Checks QEMU agent state file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.bat"C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.bat"3⤵
- Executes dropped EXE
- Checks QEMU agent state file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.bat"C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.bat"4⤵
- Checks QEMU agent state file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.batFilesize
84KB
MD5050e6cb50c426c5f50cf018b296d3df5
SHA11dcb50669df7d7856b6c8248c81a057640c26d84
SHA2569e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
SHA51222fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.batFilesize
84KB
MD5050e6cb50c426c5f50cf018b296d3df5
SHA11dcb50669df7d7856b6c8248c81a057640c26d84
SHA2569e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
SHA51222fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.batFilesize
84KB
MD5050e6cb50c426c5f50cf018b296d3df5
SHA11dcb50669df7d7856b6c8248c81a057640c26d84
SHA2569e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
SHA51222fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
-
\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.batFilesize
84KB
MD5050e6cb50c426c5f50cf018b296d3df5
SHA11dcb50669df7d7856b6c8248c81a057640c26d84
SHA2569e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
SHA51222fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
-
\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.batFilesize
84KB
MD5050e6cb50c426c5f50cf018b296d3df5
SHA11dcb50669df7d7856b6c8248c81a057640c26d84
SHA2569e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
SHA51222fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
-
\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.batFilesize
84KB
MD5050e6cb50c426c5f50cf018b296d3df5
SHA11dcb50669df7d7856b6c8248c81a057640c26d84
SHA2569e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
SHA51222fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
-
memory/748-56-0x00000000003F0000-0x00000000003FE000-memory.dmpFilesize
56KB
-
memory/748-57-0x0000000076ED0000-0x0000000077079000-memory.dmpFilesize
1.7MB
-
memory/748-59-0x0000000075541000-0x0000000075543000-memory.dmpFilesize
8KB
-
memory/748-62-0x00000000770B0000-0x0000000077230000-memory.dmpFilesize
1.5MB
-
memory/1208-71-0x0000000000000000-mapping.dmp
-
memory/1208-82-0x0000000000250000-0x000000000025E000-memory.dmpFilesize
56KB
-
memory/1208-85-0x0000000076ED0000-0x0000000077079000-memory.dmpFilesize
1.7MB
-
memory/1208-86-0x00000000770B0000-0x0000000077230000-memory.dmpFilesize
1.5MB
-
memory/1340-65-0x0000000076ED0000-0x0000000077079000-memory.dmpFilesize
1.7MB
-
memory/1340-73-0x00000000770B0000-0x0000000077230000-memory.dmpFilesize
1.5MB
-
memory/1340-64-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1340-61-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/1340-60-0x00000000004014F0-mapping.dmp
-
memory/2028-80-0x00000000004014F0-mapping.dmp
-
memory/2028-89-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/2028-90-0x0000000076ED0000-0x0000000077079000-memory.dmpFilesize
1.7MB
-
memory/2028-91-0x00000000770B0000-0x0000000077230000-memory.dmpFilesize
1.5MB