Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2023, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230703-en
General
-
Target
tmp.exe
-
Size
420KB
-
MD5
601f2b22a16a96c9ddaae24e2c5611f2
-
SHA1
cc7e8c661cecd541b5134cf06011031dd164c58a
-
SHA256
8c63c1e28683c7aa90cb40df346fe1d5dbc3b2bd994cd883cd7e551518486098
-
SHA512
12dcf65c54e2d647ae90a0433a22d70e0fa6624ea524a72ad2b4ca635cad92961a6a6d341b228733ba0b477bcbda54d31545916daec51d3ff178b27d0d8ce7c7
-
SSDEEP
6144:kC2guh2RGxfWgrfXQi12xMhtj3+z0N+Y9uVza:fY2sxuUfXB2xMfbsS+YsVza
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe tmp.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2144 tmp.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2144 tmp.exe 4384 tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2144 set thread context of 4384 2144 tmp.exe 93 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Metronomic\Telefonis\glitzier\nutters.ini tmp.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Fonts\arklngdernes\Lowly\brunch\Brugerskrms.lnk tmp.exe File opened for modification C:\Windows\Fonts\burning\Miniks64.ini tmp.exe File opened for modification C:\Windows\resources\0409\denitrified\alleging\Lightheadedly.sko tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2144 tmp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2144 wrote to memory of 4384 2144 tmp.exe 93 PID 2144 wrote to memory of 4384 2144 tmp.exe 93 PID 2144 wrote to memory of 4384 2144 tmp.exe 93 PID 2144 wrote to memory of 4384 2144 tmp.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4384
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9