Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
11-01-2023 07:32
General
-
Target
SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
-
Size
622KB
-
MD5
a1eb9b01ff7b80dac067728bc1476c55
-
SHA1
40be959c6151c3a224189045084c0c729540390d
-
SHA256
a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b
-
SHA512
bde60cd01dcfcba0053279725c9cae50b3941c3471bc41eddf8e287934f8f11e2218d9d5245b2cabae5a7ca58f5f66aaf4bb76c908e9f4d0fe4e03224d60ca33
-
SSDEEP
12288:AcWJ+6nT8mlodoRNnKRpj25w3Ng1ADX9rMIbyyjRt:AXBn1lodo6jf3NgMBxOyj/
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsg4AC5.tmp\System.dllFilesize
11KB
MD517ed1c86bd67e78ade4712be48a7d2bd
SHA11cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA5120cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
-
memory/3204-138-0x00000000771F0000-0x0000000077393000-memory.dmpFilesize
1.6MB
-
memory/3204-133-0x0000000002AB0000-0x0000000002B8B000-memory.dmpFilesize
876KB
-
memory/3204-135-0x00007FF84E850000-0x00007FF84EA45000-memory.dmpFilesize
2.0MB
-
memory/3204-136-0x00000000771F0000-0x0000000077393000-memory.dmpFilesize
1.6MB
-
memory/3204-134-0x0000000002AB0000-0x0000000002B8B000-memory.dmpFilesize
876KB
-
memory/4192-140-0x0000000001660000-0x0000000007503000-memory.dmpFilesize
94.6MB
-
memory/4192-139-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4192-137-0x0000000000000000-mapping.dmp
-
memory/4192-141-0x0000000001660000-0x0000000007503000-memory.dmpFilesize
94.6MB
-
memory/4192-142-0x00007FF84E850000-0x00007FF84EA45000-memory.dmpFilesize
2.0MB
-
memory/4192-143-0x00000000771F0000-0x0000000077393000-memory.dmpFilesize
1.6MB
-
memory/4192-144-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4192-147-0x0000000000401000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4192-149-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB