Overview

overview

10

Static

static

1

Geparders.exe

windows7-x64

10

Geparders.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/04/2023, 18:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Geparders.exe

  • Size

    280KB

  • MD5

    d5483fe9cbf398d6af54199dce725081

  • SHA1

    0149da2dd3a686c11f8a6791f6ce6057b6df2923

  • SHA256

    d989ab685c59463a2ae115503881d520032409525de9846d458583e4ad75fc15

  • SHA512

    8f8dd65fabda42d7dbe345dee8f38b3b0030f50bf229b3154d804b0380eb00b0acfe57160c374c24618518f79020463c3fd9d2f226e20dc4f7776e47638b8c97

  • SSDEEP

    6144:+lJZfr5Bt16Ofo1vMLI1rGV0BV6PQvI8WWrY6efDBY9QPQzCK2u:+lj5BJ6vlrQxQvI8HY6efQwQzCK2u

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Geparders.exe
    "C:\Users\Admin\AppData\Local\Temp\Geparders.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\Geparders.exe
      "C:\Users\Admin\AppData\Local\Temp\Geparders.exe"
      2⤵
      • Checks QEMU agent file
      • Checks computer location settings
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:4344
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
        PID:3208

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\nsh9ADF.tmp\System.dll
            Filesize

            11KB

            MD5

            fc90dfb694d0e17b013d6f818bce41b0

            SHA1

            3243969886d640af3bfa442728b9f0dff9d5f5b0

            SHA256

            7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

            SHA512

            324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

            Download Submit

          • C:\Windows\Resources\Skrivningen.ini
            Filesize

            42B

            MD5

            70a4047dae48947952460c5ff242ca5b

            SHA1

            38aee314c1ef56eedaf03930149862391c850228

            SHA256

            7596a5e2cc8da4c9899ee863688dc2c4f8fa47698874009317e0243d6f8d0734

            SHA512

            ab5881b6e1ef76006bba51d0bb623c771f73aa763886cea43a9f9e31240c29731569cc63bae1cba95e8d99b92bcae41d41282e873fe8f291f273c3a18b09dadd

            Download Submit

          • memory/1656-150-0x0000000004A10000-0x00000000074BD000-memory.dmp

            Filesize

            42.7MB

            Download

          • memory/1656-151-0x0000000004A10000-0x00000000074BD000-memory.dmp

            Filesize

            42.7MB

            Download

          • memory/1656-171-0x0000000007600000-0x00000000076C0000-memory.dmp

            Filesize

            768KB

            Download

          • memory/4344-163-0x0000000000400000-0x0000000001654000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4344-153-0x0000000001660000-0x000000000410D000-memory.dmp

            Filesize

            42.7MB

            Download

          • memory/4344-164-0x0000000001660000-0x000000000410D000-memory.dmp

            Filesize

            42.7MB

            Download

          • memory/4344-168-0x0000000000400000-0x0000000001654000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4344-169-0x0000000001660000-0x000000000410D000-memory.dmp

            Filesize

            42.7MB

            Download

          • memory/4344-170-0x0000000034790000-0x0000000034ADA000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4344-152-0x0000000000400000-0x0000000001654000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4344-172-0x0000000000400000-0x0000000001654000-memory.dmp

            Filesize

            18.3MB

            Download