Overview

overview

10

Static

static

1

MRSK0052447.exe

windows7-x64

10

MRSK0052447.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2023, 23:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    MRSK0052447.exe

  • Size

    323KB

  • MD5

    22703d73ef4ec763de5013db113d0bda

  • SHA1

    bf6a91179cc2108159728395597946a9df874ff3

  • SHA256

    bf3b3dbdeec58b9b018269cb0881f25708c1b0f0db5ed19228645e7e9ef00563

  • SHA512

    afdd9f1d92036fa2847d7dc90bbcf6c5e17fd7d34cbfd31c98968e711286e4ce41eba2767bec4d06f70f7b3239459dd3a5f64685067cec8a576f62f4954140c4

  • SSDEEP

    6144:MicFydAzxivUmv5reUOP/qHbuGkOyTysmV1f04/Vwu0FcYjaBOy/iJ:P+VivU0CKb4OcmffVwJFcC+/i

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\MRSK0052447.exe
      "C:\Users\Admin\AppData\Local\Temp\MRSK0052447.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Users\Admin\AppData\Local\Temp\MRSK0052447.exe
        "C:\Users\Admin\AppData\Local\Temp\MRSK0052447.exe"
        3⤵
        • Checks QEMU agent file
        • Checks computer location settings
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1328
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4064
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 4064 -s 140
            4⤵
            • Program crash
            PID:3960
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 420 -p 4064 -ip 4064
      1⤵
        PID:4172

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\nstD0F2.tmp\System.dll
              Filesize

              12KB

              MD5

              8cf2ac271d7679b1d68eefc1ae0c5618

              SHA1

              7cc1caaa747ee16dc894a600a4256f64fa65a9b8

              SHA256

              6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

              SHA512

              ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nstD0F2.tmp\System.dll
              Filesize

              12KB

              MD5

              8cf2ac271d7679b1d68eefc1ae0c5618

              SHA1

              7cc1caaa747ee16dc894a600a4256f64fa65a9b8

              SHA256

              6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

              SHA512

              ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nstD0F2.tmp\System.dll
              Filesize

              12KB

              MD5

              8cf2ac271d7679b1d68eefc1ae0c5618

              SHA1

              7cc1caaa747ee16dc894a600a4256f64fa65a9b8

              SHA256

              6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

              SHA512

              ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

              Download Submit

            • memory/756-180-0x0000000002D40000-0x0000000002E20000-memory.dmp

              Filesize

              896KB

              Download

            • memory/756-173-0x0000000002D40000-0x0000000002E20000-memory.dmp

              Filesize

              896KB

              Download

            • memory/756-163-0x0000000008390000-0x00000000084A4000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/956-148-0x0000000004C70000-0x000000000570A000-memory.dmp

              Filesize

              10.6MB

              Download

            • memory/956-149-0x0000000004C70000-0x000000000570A000-memory.dmp

              Filesize

              10.6MB

              Download

            • memory/1328-162-0x00000000000C0000-0x00000000000D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1328-165-0x0000000001660000-0x00000000020FA000-memory.dmp

              Filesize

              10.6MB

              Download

            • memory/1328-158-0x0000000000400000-0x0000000001654000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/1328-161-0x00000000326C0000-0x0000000032A0A000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1328-156-0x0000000000400000-0x0000000001654000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/1328-152-0x0000000001660000-0x00000000020FA000-memory.dmp

              Filesize

              10.6MB

              Download

            • memory/1328-150-0x0000000000400000-0x0000000001654000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/1328-157-0x0000000001660000-0x00000000020FA000-memory.dmp

              Filesize

              10.6MB

              Download

            • memory/1328-151-0x0000000001660000-0x00000000020FA000-memory.dmp

              Filesize

              10.6MB

              Download

            • memory/1328-167-0x0000000000400000-0x0000000001654000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/1804-168-0x0000000001040000-0x000000000106D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/1804-169-0x0000000001040000-0x000000000106D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/1804-170-0x0000000002FA0000-0x00000000032EA000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1804-172-0x0000000002DD0000-0x0000000002E5F000-memory.dmp

              Filesize

              572KB

              Download

            • memory/1804-166-0x00000000002D0000-0x0000000000327000-memory.dmp

              Filesize

              348KB

              Download

            • memory/1804-164-0x00000000002D0000-0x0000000000327000-memory.dmp

              Filesize

              348KB

              Download