Analysis
-
max time kernel
71s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2022 13:28
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20220414-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20220718-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
SOA.exe
-
Size
188KB
-
MD5
513180affbaff85bb0fc7cfda975eed0
-
SHA1
2c2a6467f735c400cd6d6b7bd134c88170b53c64
-
SHA256
05804946495c374598d2e32fe407b86a8668fb67b28591953ee320e3b71d63c3
-
SHA512
88c0e48c17ee5f0e15d0047934e5f4dc845dadf56bbd4304e8dfe8283c1e6f52282c4a602da872abc5bc769c6c569d5d1755d331c7e396ee742f1b81ab003675
Score
10/10
Malware Config
Extracted
Family
guloader
C2
https://drive.google.com/uc?export=download&id=1fnZYdfwUJYzHFLrXgG7wIq6WxcijjIHV
xor.base64
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1048-132-0x0000000000000000-mapping.dmp family_guloader behavioral2/memory/1048-136-0x0000000001300000-0x0000000001400000-memory.dmp family_guloader -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
SOA.exeRegAsm.exepid process 868 SOA.exe 1048 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA.exedescription pid process target process PID 868 set thread context of 1048 868 SOA.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SOA.exepid process 868 SOA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SOA.exepid process 868 SOA.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SOA.exedescription pid process target process PID 868 wrote to memory of 1048 868 SOA.exe RegAsm.exe PID 868 wrote to memory of 1048 868 SOA.exe RegAsm.exe PID 868 wrote to memory of 1048 868 SOA.exe RegAsm.exe PID 868 wrote to memory of 1048 868 SOA.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/868-133-0x00000000022A0000-0x00000000022AA000-memory.dmpFilesize
40KB
-
memory/868-134-0x00007FF8CC4B0000-0x00007FF8CC6A5000-memory.dmpFilesize
2.0MB
-
memory/868-135-0x0000000077AD0000-0x0000000077C73000-memory.dmpFilesize
1.6MB
-
memory/868-141-0x00000000022A0000-0x00000000022AA000-memory.dmpFilesize
40KB
-
memory/868-142-0x0000000077AD0000-0x0000000077C73000-memory.dmpFilesize
1.6MB
-
memory/1048-132-0x0000000000000000-mapping.dmp
-
memory/1048-137-0x00007FF8CC4B0000-0x00007FF8CC6A5000-memory.dmpFilesize
2.0MB
-
memory/1048-136-0x0000000001300000-0x0000000001400000-memory.dmpFilesize
1024KB
-
memory/1048-138-0x0000000077AD0000-0x0000000077C73000-memory.dmpFilesize
1.6MB
-
memory/1048-139-0x00007FF8CC4B0000-0x00007FF8CC6A5000-memory.dmpFilesize
2.0MB
-
memory/1048-140-0x0000000077AD0000-0x0000000077C73000-memory.dmpFilesize
1.6MB