Analysis
-
max time kernel
88s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
sgemaskine.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
sgemaskine.exe
Resource
win10v2004-20220414-en
General
-
Target
sgemaskine.exe
-
Size
84KB
-
MD5
050e6cb50c426c5f50cf018b296d3df5
-
SHA1
1dcb50669df7d7856b6c8248c81a057640c26d84
-
SHA256
9e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
-
SHA512
22fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1nJFzy3bHUwUvYTEcawaRZ_EVi8Bn13Js
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
ABOVEG.batpid process 1064 ABOVEG.bat -
Checks QEMU agent state file 2 TTPs 4 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
ABOVEG.batABOVEG.batsgemaskine.exesgemaskine.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state ABOVEG.bat File opened (read-only) C:\ProgramData\qemu-ga\qga.state ABOVEG.bat File opened (read-only) C:\ProgramData\qemu-ga\qga.state sgemaskine.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state sgemaskine.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sgemaskine.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation sgemaskine.exe -
Loads dropped DLL 1 IoCs
Processes:
ABOVEG.batpid process 3664 ABOVEG.bat -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
sgemaskine.exeABOVEG.batdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce sgemaskine.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Rgskysgr6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tilkbene\\ABOVEG.vbs" sgemaskine.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ABOVEG.bat Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Rgskysgr6 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tilkbene\\ABOVEG.vbs" ABOVEG.bat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
sgemaskine.exesgemaskine.exeABOVEG.batABOVEG.batpid process 4800 sgemaskine.exe 4648 sgemaskine.exe 1064 ABOVEG.bat 3664 ABOVEG.bat -
Suspicious use of SetThreadContext 2 IoCs
Processes:
sgemaskine.exeABOVEG.batdescription pid process target process PID 4800 set thread context of 4648 4800 sgemaskine.exe sgemaskine.exe PID 1064 set thread context of 3664 1064 ABOVEG.bat ABOVEG.bat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sgemaskine.exeABOVEG.batpid process 4800 sgemaskine.exe 1064 ABOVEG.bat -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
sgemaskine.exeABOVEG.batpid process 4800 sgemaskine.exe 1064 ABOVEG.bat -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
sgemaskine.exesgemaskine.exeABOVEG.batdescription pid process target process PID 4800 wrote to memory of 4648 4800 sgemaskine.exe sgemaskine.exe PID 4800 wrote to memory of 4648 4800 sgemaskine.exe sgemaskine.exe PID 4800 wrote to memory of 4648 4800 sgemaskine.exe sgemaskine.exe PID 4800 wrote to memory of 4648 4800 sgemaskine.exe sgemaskine.exe PID 4648 wrote to memory of 1064 4648 sgemaskine.exe ABOVEG.bat PID 4648 wrote to memory of 1064 4648 sgemaskine.exe ABOVEG.bat PID 4648 wrote to memory of 1064 4648 sgemaskine.exe ABOVEG.bat PID 1064 wrote to memory of 3664 1064 ABOVEG.bat ABOVEG.bat PID 1064 wrote to memory of 3664 1064 ABOVEG.bat ABOVEG.bat PID 1064 wrote to memory of 3664 1064 ABOVEG.bat ABOVEG.bat PID 1064 wrote to memory of 3664 1064 ABOVEG.bat ABOVEG.bat
Processes
-
C:\Users\Admin\AppData\Local\Temp\sgemaskine.exe"C:\Users\Admin\AppData\Local\Temp\sgemaskine.exe"1⤵
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sgemaskine.exe"C:\Users\Admin\AppData\Local\Temp\sgemaskine.exe"2⤵
- Checks QEMU agent state file
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.bat"C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.bat"3⤵
- Executes dropped EXE
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.bat"C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.bat"4⤵
- Checks QEMU agent state file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.batFilesize
84KB
MD5050e6cb50c426c5f50cf018b296d3df5
SHA11dcb50669df7d7856b6c8248c81a057640c26d84
SHA2569e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
SHA51222fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.batFilesize
84KB
MD5050e6cb50c426c5f50cf018b296d3df5
SHA11dcb50669df7d7856b6c8248c81a057640c26d84
SHA2569e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
SHA51222fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
-
C:\Users\Admin\AppData\Local\Temp\tilkbene\ABOVEG.batFilesize
84KB
MD5050e6cb50c426c5f50cf018b296d3df5
SHA11dcb50669df7d7856b6c8248c81a057640c26d84
SHA2569e3ccccbdae5037867b30ec99ab71a8422ae9b0be42bf6b7ee0dddf07e4f03c0
SHA51222fbaa4109414be48f527da47fd4ccded45fb6cfe7783af1dabd8da60fc05db907b122bbbfc0fb0d9110f4e621487b22bc8e50ee8d954b858b00888f1670b185
-
memory/1064-148-0x00007FFEE34F0000-0x00007FFEE36E5000-memory.dmpFilesize
2.0MB
-
memory/1064-147-0x0000000001F90000-0x0000000001F9E000-memory.dmpFilesize
56KB
-
memory/1064-153-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/1064-142-0x0000000000000000-mapping.dmp
-
memory/3664-155-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/3664-157-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/3664-149-0x0000000000000000-mapping.dmp
-
memory/3664-156-0x00007FFEE34F0000-0x00007FFEE36E5000-memory.dmpFilesize
2.0MB
-
memory/4648-140-0x00007FFEE34F0000-0x00007FFEE36E5000-memory.dmpFilesize
2.0MB
-
memory/4648-136-0x0000000000400000-0x000000000055D000-memory.dmpFilesize
1.4MB
-
memory/4648-135-0x0000000000000000-mapping.dmp
-
memory/4648-141-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB
-
memory/4648-139-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/4648-138-0x0000000000401000-0x0000000000506000-memory.dmpFilesize
1.0MB
-
memory/4800-133-0x00007FFEE34F0000-0x00007FFEE36E5000-memory.dmpFilesize
2.0MB
-
memory/4800-132-0x0000000000640000-0x000000000064E000-memory.dmpFilesize
56KB
-
memory/4800-134-0x00000000772F0000-0x0000000077493000-memory.dmpFilesize
1.6MB