Overview

overview

10

Static

static

1

2af4e6b031...72.exe

windows7-x64

10

2af4e6b031...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe

  • Size

    817KB

  • MD5

    ca294a7cd41349c52db4336d3dd4d9a7

  • SHA1

    b657c74a81c2c5c7729c2128bcd66da89f95afd1

  • SHA256

    2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72

  • SHA512

    e8a1a3e904691043ff329253f7d93a095f0cac877ff1c56776373b623e4dd47902f2c0dd39ae35150eeb180b3250e3da9bf6ee5b5e0e92530aa72d3f9716853b

  • SSDEEP

    12288:rzHSwv6XXvvYRVb8UBrbGDKWEyxhXRHZr8PB+guORV4kb:yY6XXIRV/OKWEyBHZr8PQgNzn

Score
10/10
guloadercollectiondiscoverydownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe
    "C:\Users\Admin\AppData\Local\Temp\2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Users\Admin\AppData\Local\Temp\2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe"
      2⤵
      • Checks QEMU agent file
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2296
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4768
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:2352
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:4164
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:1496
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4008
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:3548
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:4168
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 3616
                  3⤵
                  • Program crash
                  PID:1448
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5112
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2296 -ip 2296
              1⤵
                PID:4020

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Query Registry

              3
              T1012

              System Information Discovery

              3
              T1082

              Lateral Movement

              Collection

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Web Service

              1
              T1102

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\nstAA8F.tmp\System.dll
                Filesize

                11KB

                MD5

                17ed1c86bd67e78ade4712be48a7d2bd

                SHA1

                1cc9fe86d6d6030b4dae45ecddce5907991c01a0

                SHA256

                bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

                SHA512

                0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

                Download Submit
              • memory/1496-155-0x0000000000000000-mapping.dmp
                Download
              • memory/2296-147-0x0000000038D30000-0x0000000038D96000-memory.dmp
                Filesize

                408KB

                Download
              • memory/2296-161-0x00007FFEB31B0000-0x00007FFEB33A5000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/2296-148-0x00007FFEB31B0000-0x00007FFEB33A5000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/2296-160-0x0000000001300000-0x0000000005F0F000-memory.dmp
                Filesize

                76.1MB

                Download
              • memory/2296-138-0x0000000001300000-0x0000000005F0F000-memory.dmp
                Filesize

                76.1MB

                Download
              • memory/2296-139-0x0000000001300000-0x0000000005F0F000-memory.dmp
                Filesize

                76.1MB

                Download
              • memory/2296-140-0x00007FFEB31B0000-0x00007FFEB33A5000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/2296-141-0x00000000776F0000-0x0000000077893000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/2296-142-0x00000000776F0000-0x0000000077893000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/2296-143-0x0000000000400000-0x000000000062B000-memory.dmp
                Filesize

                2.2MB

                Download
              • memory/2296-144-0x0000000000401000-0x000000000062B000-memory.dmp
                Filesize

                2.2MB

                Download
              • memory/2296-146-0x0000000000400000-0x0000000000586000-memory.dmp
                Filesize

                1.5MB

                Download
              • memory/2296-136-0x0000000000000000-mapping.dmp
                Download
              • memory/2296-159-0x00000000776F0000-0x0000000077893000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/2296-149-0x00000000776F0000-0x0000000077893000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/2296-150-0x0000000039D80000-0x0000000039E12000-memory.dmp
                Filesize

                584KB

                Download
              • memory/2296-152-0x000000003A3D0000-0x000000003A974000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/2352-153-0x0000000000000000-mapping.dmp
                Download
              • memory/2808-133-0x00000000032F0000-0x00000000033CB000-memory.dmp
                Filesize

                876KB

                Download
              • memory/2808-135-0x00000000776F0000-0x0000000077893000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/2808-137-0x00000000776F0000-0x0000000077893000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/2808-134-0x00007FFEB31B0000-0x00007FFEB33A5000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/3548-157-0x0000000000000000-mapping.dmp
                Download
              • memory/4008-156-0x0000000000000000-mapping.dmp
                Download
              • memory/4164-154-0x0000000000000000-mapping.dmp
                Download
              • memory/4168-158-0x0000000000000000-mapping.dmp
                Download
              • memory/4768-151-0x0000000000000000-mapping.dmp
                Download