Analysis
-
max time kernel
75s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
scan_004768.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
scan_004768.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
scan_004768.pdf.exe
-
Size
84KB
-
MD5
586552ad9112f084e84c2111cad12ec2
-
SHA1
48a50e32aefe8cc29de241c33a91e4ea6c9f7d4b
-
SHA256
bb5e9e2aea9052040d072c9c9b161d2d5a88c50b049e5a505b016e80910256a0
-
SHA512
93a35be4aaecae9a6e118af85ef78d4041ca54b8b18d1bfb6b7acd0827d8f05b1d3f399e9227ed1e5ff53ddaa44588d451d987a98e34f68f957d33a1049c7894
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1SxDM6GGV4qlGFgGvRFhzDr_ALJPLe5wr
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
Vedismh8.exepid process 3768 Vedismh8.exe -
Checks QEMU agent state file 2 TTPs 4 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
scan_004768.pdf.exescan_004768.pdf.exeVedismh8.exeVedismh8.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state scan_004768.pdf.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state scan_004768.pdf.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state Vedismh8.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state Vedismh8.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
scan_004768.pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation scan_004768.pdf.exe -
Loads dropped DLL 1 IoCs
Processes:
Vedismh8.exepid process 4652 Vedismh8.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Vedismh8.exescan_004768.pdf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Vedismh8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Vandkan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\inhellde\\Vedismh8.vbs" Vedismh8.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce scan_004768.pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Vandkan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\inhellde\\Vedismh8.vbs" scan_004768.pdf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
scan_004768.pdf.exescan_004768.pdf.exeVedismh8.exeVedismh8.exepid process 1604 scan_004768.pdf.exe 3916 scan_004768.pdf.exe 3768 Vedismh8.exe 4652 Vedismh8.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
scan_004768.pdf.exeVedismh8.exedescription pid process target process PID 1604 set thread context of 3916 1604 scan_004768.pdf.exe scan_004768.pdf.exe PID 3768 set thread context of 4652 3768 Vedismh8.exe Vedismh8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
scan_004768.pdf.exeVedismh8.exepid process 1604 scan_004768.pdf.exe 3768 Vedismh8.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
scan_004768.pdf.exeVedismh8.exepid process 1604 scan_004768.pdf.exe 3768 Vedismh8.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
scan_004768.pdf.exescan_004768.pdf.exeVedismh8.exedescription pid process target process PID 1604 wrote to memory of 3916 1604 scan_004768.pdf.exe scan_004768.pdf.exe PID 1604 wrote to memory of 3916 1604 scan_004768.pdf.exe scan_004768.pdf.exe PID 1604 wrote to memory of 3916 1604 scan_004768.pdf.exe scan_004768.pdf.exe PID 1604 wrote to memory of 3916 1604 scan_004768.pdf.exe scan_004768.pdf.exe PID 3916 wrote to memory of 3768 3916 scan_004768.pdf.exe Vedismh8.exe PID 3916 wrote to memory of 3768 3916 scan_004768.pdf.exe Vedismh8.exe PID 3916 wrote to memory of 3768 3916 scan_004768.pdf.exe Vedismh8.exe PID 3768 wrote to memory of 4652 3768 Vedismh8.exe Vedismh8.exe PID 3768 wrote to memory of 4652 3768 Vedismh8.exe Vedismh8.exe PID 3768 wrote to memory of 4652 3768 Vedismh8.exe Vedismh8.exe PID 3768 wrote to memory of 4652 3768 Vedismh8.exe Vedismh8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\scan_004768.pdf.exe"C:\Users\Admin\AppData\Local\Temp\scan_004768.pdf.exe"1⤵
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\scan_004768.pdf.exe"C:\Users\Admin\AppData\Local\Temp\scan_004768.pdf.exe"2⤵
- Checks QEMU agent state file
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\inhellde\Vedismh8.exe"C:\Users\Admin\AppData\Local\Temp\inhellde\Vedismh8.exe"3⤵
- Executes dropped EXE
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\inhellde\Vedismh8.exe"C:\Users\Admin\AppData\Local\Temp\inhellde\Vedismh8.exe"4⤵
- Checks QEMU agent state file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\inhellde\Vedismh8.exeFilesize
84KB
MD5586552ad9112f084e84c2111cad12ec2
SHA148a50e32aefe8cc29de241c33a91e4ea6c9f7d4b
SHA256bb5e9e2aea9052040d072c9c9b161d2d5a88c50b049e5a505b016e80910256a0
SHA51293a35be4aaecae9a6e118af85ef78d4041ca54b8b18d1bfb6b7acd0827d8f05b1d3f399e9227ed1e5ff53ddaa44588d451d987a98e34f68f957d33a1049c7894
-
C:\Users\Admin\AppData\Local\Temp\inhellde\Vedismh8.exeFilesize
84KB
MD5586552ad9112f084e84c2111cad12ec2
SHA148a50e32aefe8cc29de241c33a91e4ea6c9f7d4b
SHA256bb5e9e2aea9052040d072c9c9b161d2d5a88c50b049e5a505b016e80910256a0
SHA51293a35be4aaecae9a6e118af85ef78d4041ca54b8b18d1bfb6b7acd0827d8f05b1d3f399e9227ed1e5ff53ddaa44588d451d987a98e34f68f957d33a1049c7894
-
C:\Users\Admin\AppData\Local\Temp\inhellde\Vedismh8.exeFilesize
84KB
MD5586552ad9112f084e84c2111cad12ec2
SHA148a50e32aefe8cc29de241c33a91e4ea6c9f7d4b
SHA256bb5e9e2aea9052040d072c9c9b161d2d5a88c50b049e5a505b016e80910256a0
SHA51293a35be4aaecae9a6e118af85ef78d4041ca54b8b18d1bfb6b7acd0827d8f05b1d3f399e9227ed1e5ff53ddaa44588d451d987a98e34f68f957d33a1049c7894
-
memory/1604-133-0x00007FFFB98B0000-0x00007FFFB9AA5000-memory.dmpFilesize
2.0MB
-
memory/1604-138-0x00000000774D0000-0x0000000077673000-memory.dmpFilesize
1.6MB
-
memory/1604-132-0x00000000021D0000-0x00000000021DE000-memory.dmpFilesize
56KB
-
memory/3768-153-0x00000000774D0000-0x0000000077673000-memory.dmpFilesize
1.6MB
-
memory/3768-148-0x00007FFFB98B0000-0x00007FFFB9AA5000-memory.dmpFilesize
2.0MB
-
memory/3768-147-0x00000000005F0000-0x00000000005FE000-memory.dmpFilesize
56KB
-
memory/3768-141-0x0000000000000000-mapping.dmp
-
memory/3916-137-0x0000000000401000-0x0000000000506000-memory.dmpFilesize
1.0MB
-
memory/3916-144-0x00000000774D0000-0x0000000077673000-memory.dmpFilesize
1.6MB
-
memory/3916-140-0x00007FFFB98B0000-0x00007FFFB9AA5000-memory.dmpFilesize
2.0MB
-
memory/3916-139-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/3916-134-0x0000000000000000-mapping.dmp
-
memory/3916-135-0x0000000000400000-0x000000000055D000-memory.dmpFilesize
1.4MB
-
memory/4652-149-0x0000000000000000-mapping.dmp
-
memory/4652-155-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/4652-156-0x00007FFFB98B0000-0x00007FFFB9AA5000-memory.dmpFilesize
2.0MB
-
memory/4652-157-0x00000000774D0000-0x0000000077673000-memory.dmpFilesize
1.6MB