Overview

overview

10

Static

static

1

justifican...ia.exe

windows7-x64

10

justifican...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    203s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    20/04/2023, 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    justificante de transferencia.exe

  • Size

    439KB

  • MD5

    3931436d54a7af5e532612c3f3e06fc0

  • SHA1

    eb3692c150cc7f8ecea9522b314e50e82c902209

  • SHA256

    c69e558e5526feeb00ab90efe764fb0b93b3a09692659d1a57c652da81f1d123

  • SHA512

    4881726bb3734022c79b3929e0719251986a656cf0ac18b0b3825b0da74a8877fabdd1382b956ef2f6af3a6418435aba5b2dbb7d113eb209dfbac235127c9552

  • SSDEEP

    12288:gz1KzffDfffr2c0kz0hS19NTivjlmJdio3qH:FffDfffrrzES19NTivjlmnV0

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\justificante de transferencia.exe
    "C:\Users\Admin\AppData\Local\Temp\justificante de transferencia.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Users\Admin\AppData\Local\Temp\justificante de transferencia.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsoCBDA.tmp\System.dll
    Filesize

    11KB

    MD5

    17ed1c86bd67e78ade4712be48a7d2bd

    SHA1

    1cc9fe86d6d6030b4dae45ecddce5907991c01a0

    SHA256

    bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

    SHA512

    0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

    Download Submit

  • memory/900-65-0x0000000001210000-0x0000000002C88000-memory.dmp

    Filesize

    26.5MB

    Download

  • memory/900-66-0x0000000000400000-0x0000000000615000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/900-67-0x0000000001210000-0x0000000002C88000-memory.dmp

    Filesize

    26.5MB

    Download

  • memory/2044-63-0x0000000002E40000-0x00000000048B8000-memory.dmp

    Filesize

    26.5MB

    Download

  • memory/2044-64-0x0000000002E40000-0x00000000048B8000-memory.dmp

    Filesize

    26.5MB

    Download