Analysis
-
max time kernel
97s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-02-2023 16:03
Static task
static1
Behavioral task
behavioral1
Sample
a74960472ab338a421fb56948e742f2b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a74960472ab338a421fb56948e742f2b.exe
Resource
win10v2004-20221111-en
General
-
Target
a74960472ab338a421fb56948e742f2b.exe
-
Size
619KB
-
MD5
a74960472ab338a421fb56948e742f2b
-
SHA1
c39bd553f3a1b8147f98056f8ea81bb6d6099b1e
-
SHA256
2e6a8bb2fcfef5cdc29aa03bfe22b01ebe7b3f71e09ad302dec93d672d1c3141
-
SHA512
7cbbc8d2ba0202370a82bbd2f24a7123a364e41a89c6f1f5472f702c91cac9f976ea1189c32462f97e5bff8c46978c691df9260945eeefb5054b09b65289da9d
-
SSDEEP
12288:b7EWNDJccwIWYh7jQ4+ngZnz/B4WW3nVVP7ntr9+E78MNv1z2qcNjRtBnMAr8+:MUlyYtjQ4UWz/B4vT7CE78YvjsNfC+
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
a74960472ab338a421fb56948e742f2b.exeieinstal.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe a74960472ab338a421fb56948e742f2b.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Loads dropped DLL 1 IoCs
Processes:
a74960472ab338a421fb56948e742f2b.exepid process 1748 a74960472ab338a421fb56948e742f2b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Unnominated25 = "C:\\Users\\Admin\\AppData\\Roaming\\Cpa\\Alpargata.exe" ieinstal.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
ieinstal.exepid process 1536 ieinstal.exe 1536 ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
a74960472ab338a421fb56948e742f2b.exeieinstal.exepid process 1748 a74960472ab338a421fb56948e742f2b.exe 1536 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a74960472ab338a421fb56948e742f2b.exedescription pid process target process PID 1748 set thread context of 1536 1748 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe -
Drops file in Program Files directory 1 IoCs
Processes:
ieinstal.exedescription ioc process File opened for modification C:\Program Files (x86)\internet explorer\ieinstal.exe ieinstal.exe -
Drops file in Windows directory 1 IoCs
Processes:
a74960472ab338a421fb56948e742f2b.exedescription ioc process File opened for modification C:\Windows\resources\0409\Vre\Prstekrave\Uskadeliggjort.Pun a74960472ab338a421fb56948e742f2b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a74960472ab338a421fb56948e742f2b.exepid process 1748 a74960472ab338a421fb56948e742f2b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 1536 ieinstal.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a74960472ab338a421fb56948e742f2b.exeieinstal.exedescription pid process target process PID 1748 wrote to memory of 1536 1748 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe PID 1748 wrote to memory of 1536 1748 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe PID 1748 wrote to memory of 1536 1748 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe PID 1748 wrote to memory of 1536 1748 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe PID 1748 wrote to memory of 1536 1748 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe PID 1748 wrote to memory of 1536 1748 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe PID 1748 wrote to memory of 1536 1748 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe PID 1748 wrote to memory of 1536 1748 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe PID 1536 wrote to memory of 2020 1536 ieinstal.exe WScript.exe PID 1536 wrote to memory of 2020 1536 ieinstal.exe WScript.exe PID 1536 wrote to memory of 2020 1536 ieinstal.exe WScript.exe PID 1536 wrote to memory of 2020 1536 ieinstal.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a74960472ab338a421fb56948e742f2b.exe"C:\Users\Admin\AppData\Local\Temp\a74960472ab338a421fb56948e742f2b.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Users\Admin\AppData\Local\Temp\a74960472ab338a421fb56948e742f2b.exe"2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nbykgjwfgjzyovrumvpgvajx.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nbykgjwfgjzyovrumvpgvajx.vbsFilesize
366B
MD50fe2423601d3291b0b6326e6518286a0
SHA109746eb739147f191068aba1552cd616eabd5e1d
SHA2561a899121e3969c2bb894e08765a57e8a65cb9154d71c3825baa6b4f2da61d8f3
SHA5129632acaa96bf0d7bc5f3754d15117079888fcc23591007fc7f4d5dabfdb1e9300cf96ff3ee9266fe2d29ea118623651773d1002d5a3f91270471841d5012cec6
-
\Users\Admin\AppData\Local\Temp\nsi956.tmp\System.dllFilesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
-
memory/1536-75-0x00000000770A0000-0x0000000077249000-memory.dmpFilesize
1.7MB
-
memory/1536-78-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1536-60-0x00000000016C38D7-mapping.dmp
-
memory/1536-83-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1536-82-0x0000000000EF0000-0x0000000001A31000-memory.dmpFilesize
11.3MB
-
memory/1536-59-0x0000000000EF0000-0x0000000001A31000-memory.dmpFilesize
11.3MB
-
memory/1536-77-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1536-69-0x00000000770A0000-0x0000000077249000-memory.dmpFilesize
1.7MB
-
memory/1536-70-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1536-71-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1536-76-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1536-73-0x0000000000EF0000-0x0000000001A31000-memory.dmpFilesize
11.3MB
-
memory/1748-74-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1748-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmpFilesize
8KB
-
memory/1748-72-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1748-64-0x0000000002860000-0x00000000034AA000-memory.dmpFilesize
12.3MB
-
memory/1748-63-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1748-56-0x0000000002860000-0x00000000034AA000-memory.dmpFilesize
12.3MB
-
memory/1748-62-0x0000000077280000-0x0000000077400000-memory.dmpFilesize
1.5MB
-
memory/1748-61-0x00000000770A0000-0x0000000077249000-memory.dmpFilesize
1.7MB
-
memory/2020-79-0x0000000000000000-mapping.dmp