Overview

overview

10

Static

static

1

Trice Chem...df.exe

windows7-x64

10

Trice Chem...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2023 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trice Chemical February-PO#67388pdf.exe

  • Size

    396KB

  • MD5

    99f18e1392de2176e675ed6a03bfc9d7

  • SHA1

    ddc161c761aff3f7e9c66dfbf7e10a7c0fd83ea5

  • SHA256

    ce3884be774641ca941308377c3ffd5ed1ed96ba0d9257106f85e4445bfb10ba

  • SHA512

    70c89c2f66036dcf37be600fc381eac24c41afa616ad88d0b73aa8c02ba0b63e273533b60018e5fddee1444c8c02c3a16f18811ce9d9875a29606de61785dc62

  • SSDEEP

    12288:92fISNErVIouVe6HMtjEjE8VapPUsgI/2B:92f9NQVIoV4CxiapPUsz/S

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trice Chemical February-PO#67388pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Trice Chemical February-PO#67388pdf.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Users\Admin\AppData\Local\Temp\Trice Chemical February-PO#67388pdf.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1600
        3⤵
        • Program crash
        PID:3752
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 452 -p 4860 -ip 4860
    1⤵
      PID:2444
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4860 -s 1764
      1⤵
      • Program crash
      PID:1724
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4424 -ip 4424
      1⤵
        PID:3672

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsu620D.tmp\System.dll
        Filesize

        11KB

        MD5

        55a26d7800446f1373056064c64c3ce8

        SHA1

        80256857e9a0a9c8897923b717f3435295a76002

        SHA256

        904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

        SHA512

        04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

        Download Submit
      • memory/2672-139-0x0000000076EE0000-0x0000000077083000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2672-133-0x00000000049A0000-0x000000000730D000-memory.dmp
        Filesize

        41.4MB

        Download
      • memory/2672-134-0x00000000049A0000-0x000000000730D000-memory.dmp
        Filesize

        41.4MB

        Download
      • memory/2672-135-0x00007FF93D210000-0x00007FF93D405000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/2672-136-0x0000000076EE0000-0x0000000077083000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2672-140-0x00007FF93D210000-0x00007FF93D405000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4424-138-0x0000000001040000-0x00000000039AD000-memory.dmp
        Filesize

        41.4MB

        Download
      • memory/4424-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4424-141-0x0000000001040000-0x00000000039AD000-memory.dmp
        Filesize

        41.4MB

        Download
      • memory/4424-142-0x00007FF93D210000-0x00007FF93D405000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4424-143-0x0000000076EE0000-0x0000000077083000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4424-144-0x0000000076EE0000-0x0000000077083000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4424-145-0x00007FF93D210000-0x00007FF93D405000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4424-146-0x0000000001040000-0x00000000039AD000-memory.dmp
        Filesize

        41.4MB

        Download