Analysis Overview
SHA256
43ad88d4b9b62ac29d1872243f482198d5771dadf38903b63ba51bc344a871a5
Threat Level: Known bad
The file Arrival Notice pdf.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Lokibot
Reads user/profile data of web browsers
Checks QEMU agent file
Loads dropped DLL
Accesses Microsoft Outlook profiles
Suspicious use of NtCreateThreadExHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious behavior: RenamesItself
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-12 13:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-12 13:32
Reported
2023-07-12 13:34
Platform
win7-20230712-en
Max time kernel
147s
Max time network
141s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2340 set thread context of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Tuvaluaners160\Tachibana157\programafprvningerne.ect | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2340 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
| PID 2340 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
| PID 2340 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
| PID 2340 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
| PID 2340 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| NL | 171.22.30.164:80 | 171.22.30.164 | tcp |
| NL | 171.22.30.164:80 | 171.22.30.164 | tcp |
| NL | 171.22.30.164:80 | 171.22.30.164 | tcp |
| NL | 171.22.30.164:80 | 171.22.30.164 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsoDDB3.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
memory/2340-67-0x00000000033B0000-0x000000000619C000-memory.dmp
memory/2340-68-0x00000000033B0000-0x000000000619C000-memory.dmp
memory/2044-69-0x0000000000400000-0x0000000001462000-memory.dmp
memory/2044-70-0x0000000001470000-0x000000000425C000-memory.dmp
memory/2044-71-0x0000000000400000-0x0000000001462000-memory.dmp
memory/2044-72-0x0000000001470000-0x000000000425C000-memory.dmp
memory/2044-84-0x0000000001470000-0x000000000425C000-memory.dmp
memory/2044-87-0x0000000001470000-0x000000000425C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1014134971-2480516131-292343513-1000\0f5007522459c86e95ffcc62f32308f1_d5f11b9e-2b71-41f6-9dcc-8691edc6dc24
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1014134971-2480516131-292343513-1000\0f5007522459c86e95ffcc62f32308f1_d5f11b9e-2b71-41f6-9dcc-8691edc6dc24
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-12 13:32
Reported
2023-07-12 13:34
Platform
win10v2004-20230703-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Guloader,Cloudeye
Lokibot
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C394D645-39A2-4EE1-BC25-2B651B221E86}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1660 set thread context of 4328 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Tuvaluaners160\Tachibana157\programafprvningerne.ect | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1660 wrote to memory of 4328 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
| PID 1660 wrote to memory of 4328 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
| PID 1660 wrote to memory of 4328 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
| PID 1660 wrote to memory of 4328 | N/A | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.25.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| NL | 171.22.30.164:80 | 171.22.30.164 | tcp |
| NL | 171.22.30.164:80 | 171.22.30.164 | tcp |
| US | 8.8.8.8:53 | 164.30.22.171.in-addr.arpa | udp |
| NL | 171.22.30.164:80 | 171.22.30.164 | tcp |
| NL | 171.22.30.164:80 | 171.22.30.164 | tcp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsnCCE6.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
memory/1660-146-0x0000000004CA0000-0x0000000007A8C000-memory.dmp
memory/1660-147-0x0000000004CA0000-0x0000000007A8C000-memory.dmp
memory/4328-148-0x0000000000400000-0x0000000001654000-memory.dmp
memory/4328-149-0x0000000001660000-0x000000000444C000-memory.dmp
memory/4328-150-0x0000000001660000-0x000000000444C000-memory.dmp
memory/4328-154-0x0000000001660000-0x000000000444C000-memory.dmp
memory/4328-155-0x0000000001660000-0x000000000444C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1722984668-1829624581-3022101259-1000\0f5007522459c86e95ffcc62f32308f1_a0bc95ba-226b-43bc-9413-1a52b12558b5
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1722984668-1829624581-3022101259-1000\0f5007522459c86e95ffcc62f32308f1_a0bc95ba-226b-43bc-9413-1a52b12558b5
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |