Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2023, 16:15

General

  • Target

    tmp.exe

  • Size

    420KB

  • MD5

    601f2b22a16a96c9ddaae24e2c5611f2

  • SHA1

    cc7e8c661cecd541b5134cf06011031dd164c58a

  • SHA256

    8c63c1e28683c7aa90cb40df346fe1d5dbc3b2bd994cd883cd7e551518486098

  • SHA512

    12dcf65c54e2d647ae90a0433a22d70e0fa6624ea524a72ad2b4ca635cad92961a6a6d341b228733ba0b477bcbda54d31545916daec51d3ff178b27d0d8ce7c7

  • SSDEEP

    6144:kC2guh2RGxfWgrfXQi12xMhtj3+z0N+Y9uVza:fY2sxuUfXB2xMfbsS+YsVza

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4384

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nss7475.tmp\System.dll

          Filesize

          11KB

          MD5

          2ae993a2ffec0c137eb51c8832691bcb

          SHA1

          98e0b37b7c14890f8a599f35678af5e9435906e1

          SHA256

          681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

          SHA512

          2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

        • memory/2144-143-0x0000000003360000-0x0000000005A62000-memory.dmp

          Filesize

          39.0MB

        • memory/2144-144-0x0000000003360000-0x0000000005A62000-memory.dmp

          Filesize

          39.0MB

        • memory/4384-145-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/4384-146-0x0000000001660000-0x0000000003D62000-memory.dmp

          Filesize

          39.0MB

        • memory/4384-147-0x0000000001660000-0x0000000003D62000-memory.dmp

          Filesize

          39.0MB

        • memory/4384-148-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB