Analysis
-
max time kernel
176s -
max time network
203s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16-01-2023 07:27
Static task
static1
Behavioral task
behavioral1
Sample
ODEME BILGILENDIRME 000284857577688 01162023.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ODEME BILGILENDIRME 000284857577688 01162023.exe
Resource
win10v2004-20221111-en
General
-
Target
ODEME BILGILENDIRME 000284857577688 01162023.exe
-
Size
258KB
-
MD5
ef194272556559c7d4da6515efaaa09d
-
SHA1
713343ddc7b859c93dc58559aee00f62f2c48c97
-
SHA256
32ea41ff050f09d0b92967588a131e0a170cb46baf7ee58d03277d09336f89d9
-
SHA512
d488eef517aea854d6f9bb5c6de69ed4a573377c5279ce051cafe8ec3511a453101cf162925297a14f99d754e749a2129ee767e8620cca062e226cc165ecb5bc
-
SSDEEP
6144:haCoWj2mYBtHF3rvcZjvqM4SkF/92SRD3xRKBfe6:haCcBFRcZjy0kF/92SRBkI6
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
caspol.exeODEME BILGILENDIRME 000284857577688 01162023.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ODEME BILGILENDIRME 000284857577688 01162023.exe -
Loads dropped DLL 1 IoCs
Processes:
ODEME BILGILENDIRME 000284857577688 01162023.exepid process 940 ODEME BILGILENDIRME 000284857577688 01162023.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
ODEME BILGILENDIRME 000284857577688 01162023.execaspol.exepid process 940 ODEME BILGILENDIRME 000284857577688 01162023.exe 1176 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ODEME BILGILENDIRME 000284857577688 01162023.exedescription pid process target process PID 940 set thread context of 1176 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ODEME BILGILENDIRME 000284857577688 01162023.exepid process 940 ODEME BILGILENDIRME 000284857577688 01162023.exe 940 ODEME BILGILENDIRME 000284857577688 01162023.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ODEME BILGILENDIRME 000284857577688 01162023.exedescription pid process target process PID 940 wrote to memory of 568 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe PID 940 wrote to memory of 568 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe PID 940 wrote to memory of 568 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe PID 940 wrote to memory of 568 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe PID 940 wrote to memory of 1176 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe PID 940 wrote to memory of 1176 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe PID 940 wrote to memory of 1176 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe PID 940 wrote to memory of 1176 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe PID 940 wrote to memory of 1176 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ODEME BILGILENDIRME 000284857577688 01162023.exe"C:\Users\Admin\AppData\Local\Temp\ODEME BILGILENDIRME 000284857577688 01162023.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"C:\Users\Admin\AppData\Local\Temp\ODEME BILGILENDIRME 000284857577688 01162023.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"C:\Users\Admin\AppData\Local\Temp\ODEME BILGILENDIRME 000284857577688 01162023.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsjC63E.tmp\System.dllFilesize
11KB
MD5be2621a78a13a56cf09e00dd98488360
SHA175f0539dc6af200a07cdb056cddddec595c6cfd2
SHA256852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5
SHA512b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1
-
memory/940-69-0x0000000077340000-0x00000000774C0000-memory.dmpFilesize
1.5MB
-
memory/940-56-0x0000000002790000-0x00000000033DA000-memory.dmpFilesize
12.3MB
-
memory/940-58-0x0000000077160000-0x0000000077309000-memory.dmpFilesize
1.7MB
-
memory/940-59-0x0000000077340000-0x00000000774C0000-memory.dmpFilesize
1.5MB
-
memory/940-61-0x0000000077340000-0x00000000774C0000-memory.dmpFilesize
1.5MB
-
memory/940-54-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/940-64-0x0000000077340000-0x00000000774C0000-memory.dmpFilesize
1.5MB
-
memory/940-71-0x0000000077340000-0x00000000774C0000-memory.dmpFilesize
1.5MB
-
memory/1176-63-0x0000000000ED8A9E-mapping.dmp
-
memory/1176-68-0x0000000077160000-0x0000000077309000-memory.dmpFilesize
1.7MB
-
memory/1176-70-0x0000000000EE0000-0x000000000374B000-memory.dmpFilesize
40.4MB
-
memory/1176-65-0x0000000000EE0000-0x000000000374B000-memory.dmpFilesize
40.4MB