Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-12-2022 20:04
Static task
static1
Behavioral task
behavioral1
Sample
C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe
Resource
win10v2004-20220812-en
General
-
Target
C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe
-
Size
456KB
-
MD5
c3bbddb6cebd8672a4fa8b7b8ba20a1e
-
SHA1
4dae188eb28413a1f8b21e22761cd1d65260a495
-
SHA256
309ec4a383a2322d4d5bf95da7efed35f43b4957b5f5255003d93019dd10ba70
-
SHA512
9e6212501f9a4a23dd5f6972ed837c91bb61affcf4ce4fa710f558c9cc1db4618ea10613fc6da4d2f66fd1801e39adc7a9db942a2775b24df412ecedca113e1c
-
SSDEEP
12288:q2d0rASyHEXQ+ex/NeG7t1utf5P7kYiHG:qoSyUy/YwrG
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exeieinstal.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Loads dropped DLL 1 IoCs
Processes:
C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exepid process 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Homonuclear = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Julekalenderen149\\Straalingsintensiteter.exe" ieinstal.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exeieinstal.exepid process 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe 1136 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exedescription pid process target process PID 1712 set thread context of 1136 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe ieinstal.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exepid process 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exedescription pid process target process PID 1712 wrote to memory of 1136 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe ieinstal.exe PID 1712 wrote to memory of 1136 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe ieinstal.exe PID 1712 wrote to memory of 1136 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe ieinstal.exe PID 1712 wrote to memory of 1136 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe ieinstal.exe PID 1712 wrote to memory of 1136 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe ieinstal.exe PID 1712 wrote to memory of 1136 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe ieinstal.exe PID 1712 wrote to memory of 1136 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe ieinstal.exe PID 1712 wrote to memory of 1136 1712 C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe"C:\Users\Admin\AppData\Local\Temp\C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Users\Admin\AppData\Local\Temp\C3BBDDB6CEBD8672A4FA8B7B8BA20A1E.exe"2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nst7F30.tmp\System.dllFilesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
memory/1136-61-0x00000000002E0000-0x00000000003E0000-memory.dmpFilesize
1024KB
-
memory/1136-70-0x0000000077AC0000-0x0000000077C40000-memory.dmpFilesize
1.5MB
-
memory/1136-67-0x00000000778E0000-0x0000000077A89000-memory.dmpFilesize
1.7MB
-
memory/1136-66-0x00000000002E0000-0x00000000003E0000-memory.dmpFilesize
1024KB
-
memory/1136-62-0x00000000002E0000-mapping.dmp
-
memory/1712-57-0x00000000060A0000-0x00000000061A1000-memory.dmpFilesize
1.0MB
-
memory/1712-63-0x0000000077AC0000-0x0000000077C40000-memory.dmpFilesize
1.5MB
-
memory/1712-64-0x0000000077AC0000-0x0000000077C40000-memory.dmpFilesize
1.5MB
-
memory/1712-65-0x0000000077AC0000-0x0000000077C40000-memory.dmpFilesize
1.5MB
-
memory/1712-58-0x00000000778E0000-0x0000000077A89000-memory.dmpFilesize
1.7MB
-
memory/1712-54-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB
-
memory/1712-56-0x00000000060A0000-0x00000000061A1000-memory.dmpFilesize
1.0MB
-
memory/1712-73-0x00000000060A0000-0x00000000061A1000-memory.dmpFilesize
1.0MB
-
memory/1712-74-0x0000000077AC0000-0x0000000077C40000-memory.dmpFilesize
1.5MB