Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2022 14:06

General

  • Target

    DHL online Customer AWB Shipping Docs.Commercial Invoice. Packing List. BL Draft THS0094587231.pdf.exe

  • Size

    513KB

  • MD5

    a52478e75fbb20e4d0c2de385db1b3ce

  • SHA1

    ed9a76bd4c286c2b7ffa7b0bf5b66db2a1eb1088

  • SHA256

    88784edc4183537c005102816de40a74499b1261a416eb02fcf1dbcc634b349b

  • SHA512

    d2e0abab3c5bc436f2131d231761ba2539a9280781b3fa7eeac3f6a4a8c9d38c7d5d0ccdea952c5c2fe91e0803467eef1a583defedf7e7efd4d561d5d2d31d1c

  • SSDEEP

    12288:L3LuHzF7bje6/+3lRe+Q3JRtB1Ir/YJGPm030VDbHQ:WTF7PK3lRe+W5D8/YguHQ

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL online Customer AWB Shipping Docs.Commercial Invoice. Packing List. BL Draft THS0094587231.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL online Customer AWB Shipping Docs.Commercial Invoice. Packing List. BL Draft THS0094587231.pdf.exe"
    1⤵
    • Loads dropped DLL
    PID:1588

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsiE83.tmp\System.dll

    Filesize

    11KB

    MD5

    8b3830b9dbf87f84ddd3b26645fed3a0

    SHA1

    223bef1f19e644a610a0877d01eadc9e28299509

    SHA256

    f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    SHA512

    d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

  • memory/1588-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

    Filesize

    8KB

  • memory/1588-56-0x0000000002540000-0x000000000318A000-memory.dmp

    Filesize

    12.3MB

  • memory/1588-57-0x0000000002540000-0x000000000318A000-memory.dmp

    Filesize

    12.3MB