Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13/07/2023, 20:18

General

  • Target

    4781b5ca739a280c011844dabab8fb008340ad82efa70486edc34e8de8a10946.exe

  • Size

    507KB

  • MD5

    7f6e2a0959481ac955ffa5c591a1e25e

  • SHA1

    02ce117dc8c9b08e381aaccf102766f436166597

  • SHA256

    4781b5ca739a280c011844dabab8fb008340ad82efa70486edc34e8de8a10946

  • SHA512

    928ccaaf714cdbe7fa60925d5b8f351ef9d2ea080047e3bc5678975c50d3ec5fd74c371279aca0980704f38324b832b4236811aab2ae93598884f61a9ac32d88

  • SSDEEP

    12288:9FKBG73lOUG2H7zS8zjDMpOltJJCSJEM1oPa7XK:BrlMa7zbzPMWJJVv11a

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4781b5ca739a280c011844dabab8fb008340ad82efa70486edc34e8de8a10946.exe
    "C:\Users\Admin\AppData\Local\Temp\4781b5ca739a280c011844dabab8fb008340ad82efa70486edc34e8de8a10946.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Users\Admin\AppData\Local\Temp\4781b5ca739a280c011844dabab8fb008340ad82efa70486edc34e8de8a10946.exe
      "C:\Users\Admin\AppData\Local\Temp\4781b5ca739a280c011844dabab8fb008340ad82efa70486edc34e8de8a10946.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4936

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\nsfD1D8.tmp\System.dll

          Filesize

          11KB

          MD5

          a4dd044bcd94e9b3370ccf095b31f896

          SHA1

          17c78201323ab2095bc53184aa8267c9187d5173

          SHA256

          2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

          SHA512

          87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

        • memory/3576-125-0x0000000003F70000-0x0000000007185000-memory.dmp

          Filesize

          50.1MB

        • memory/3576-126-0x0000000003F70000-0x0000000007185000-memory.dmp

          Filesize

          50.1MB

        • memory/3576-127-0x00007FFF55EA0000-0x00007FFF5607B000-memory.dmp

          Filesize

          1.9MB

        • memory/3576-128-0x0000000077091000-0x00000000771A4000-memory.dmp

          Filesize

          1.1MB

        • memory/3576-129-0x0000000010000000-0x0000000010006000-memory.dmp

          Filesize

          24KB

        • memory/4936-130-0x0000000000400000-0x0000000001783000-memory.dmp

          Filesize

          19.5MB

        • memory/4936-132-0x0000000001790000-0x00000000049A5000-memory.dmp

          Filesize

          50.1MB

        • memory/4936-133-0x0000000000400000-0x0000000001783000-memory.dmp

          Filesize

          19.5MB

        • memory/4936-134-0x0000000001790000-0x00000000049A5000-memory.dmp

          Filesize

          50.1MB

        • memory/4936-135-0x00007FFF55EA0000-0x00007FFF5607B000-memory.dmp

          Filesize

          1.9MB

        • memory/4936-136-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

        • memory/4936-143-0x0000000000400000-0x0000000001783000-memory.dmp

          Filesize

          19.5MB

        • memory/4936-145-0x0000000077091000-0x00000000771A4000-memory.dmp

          Filesize

          1.1MB