Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Gardenizes.exe

windows7-x64

10

Gardenizes.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2023, 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Gardenizes.exe

  • Size

    526KB

  • MD5

    272af9392194c64dd28d80bc09098a11

  • SHA1

    5b87e32283412d27880e43db5670ac05591e5fb5

  • SHA256

    49c664a223499b26d21c32fa465d34dda9c824a3940eda061ea8ccfdac003a3a

  • SHA512

    f332313483d647f80c9d521cdce765cbebabe0dbd6f3e1467c723c597e09056f33f0849c785a76496f74a5c23bd04431b5246429e8e18e4bf3d5bbd9e48a409b

  • SSDEEP

    12288:cVl7xI2ap5h9xrmJJlFdOmwLGIPpfjVHmDTiCba6fR:cb7xI2ap55momV8FjVHmO6fR

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gardenizes.exe
    "C:\Users\Admin\AppData\Local\Temp\Gardenizes.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Local\Temp\Gardenizes.exe
      "C:\Users\Admin\AppData\Local\Temp\Gardenizes.exe"
      2⤵
      • Checks QEMU agent file
      • Checks computer location settings
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
        PID:1936

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsd4F3.tmp\System.dll
      Filesize

      12KB

      MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

      SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

      SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

      SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

      Download Submit

    • memory/1204-86-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/1204-88-0x0000000001470000-0x0000000002A67000-memory.dmp

      Filesize

      22.0MB

      Download

    • memory/1204-89-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/1204-111-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/1204-112-0x0000000001470000-0x0000000002A67000-memory.dmp

      Filesize

      22.0MB

      Download

    • memory/1204-113-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/1204-115-0x0000000032F60000-0x0000000033263000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1708-85-0x0000000003380000-0x0000000004977000-memory.dmp

      Filesize

      22.0MB

      Download

    • memory/1708-87-0x0000000003380000-0x0000000004977000-memory.dmp

      Filesize

      22.0MB

      Download

    • memory/1708-116-0x0000000032770000-0x000000003284D000-memory.dmp

      Filesize

      884KB

      Download