General

  • Target

    2c52a17288f1cf1d69abdeb9d8c18b8ac61ff7a7c73a6597e0916cdcbc6ddda9.exe

  • Size

    503KB

  • Sample

    230203-nnv1sseh89

  • MD5

    6e40df8770ce9ff8b80b75f30a2c619d

  • SHA1

    7af3526582fb9aa9df693a10d8e0d68bf05a7f91

  • SHA256

    2c52a17288f1cf1d69abdeb9d8c18b8ac61ff7a7c73a6597e0916cdcbc6ddda9

  • SHA512

    98d6d922b61581e867a86a57b6fb2da22bf547d46c027b6df34e4eaa583a0b3fa0559016778d0612ad634eba407bc6170f9e17688213dcf86436f66ec4dc6084

  • SSDEEP

    12288:SzVlnHPlZaogGwQSspbNCnwYk3V/xrC55QN6W07qaG:2lvG3GwQtJm4/xrC5hqaG

Malware Config

Targets

    • Target

      2c52a17288f1cf1d69abdeb9d8c18b8ac61ff7a7c73a6597e0916cdcbc6ddda9.exe

    • Size

      503KB

    • MD5

      6e40df8770ce9ff8b80b75f30a2c619d

    • SHA1

      7af3526582fb9aa9df693a10d8e0d68bf05a7f91

    • SHA256

      2c52a17288f1cf1d69abdeb9d8c18b8ac61ff7a7c73a6597e0916cdcbc6ddda9

    • SHA512

      98d6d922b61581e867a86a57b6fb2da22bf547d46c027b6df34e4eaa583a0b3fa0559016778d0612ad634eba407bc6170f9e17688213dcf86436f66ec4dc6084

    • SSDEEP

      12288:SzVlnHPlZaogGwQSspbNCnwYk3V/xrC55QN6W07qaG:2lvG3GwQtJm4/xrC5hqaG

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • UAC bypass

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks