Analysis
-
max time kernel
143s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
13/07/2023, 20:08
Static task
static1
General
-
Target
7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe
-
Size
286KB
-
MD5
db69af7fee69d61e4eb0268afb7cd9f8
-
SHA1
47568ce8cc356ad3858fc25c334e63d7b8742849
-
SHA256
7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a
-
SHA512
78e350a54c221b7fabb9780cb6adc70e62a4ef39278a8545795a777a17a84203d2dc689f78531f1118ee6afa875fa52d8fe138cb8b20ac0acfcd28461652b22d
-
SSDEEP
6144:mz2PI+nT0UvWKIAaMBzLpPCyw7QlBRg5cb3k+mKbG/ICLJqZ:BI4xTIJMxLoNiDkhKdCcZ
Malware Config
Extracted
formbook
4.1
al05
becapmuiu.xyz
wearerp.com
beautychannel.world
kuwiti.com
vex5678.com
pecanbayouwoodworks.com
lrsconcrete.com
emgje.buzz
haorizi.net
tradingbattle.net
growgram.info
zuolide.com
poliedriconsulting.com
persjateng.com
pseudlifelif.com
tgteletg.top
33changing.com
jayagrandcounty.com
thegopigirls.com
c8685.top
cyberkracken.com
8451555.xyz
internationalabn.com
blackbeardbar.com
vetnymtravde.xyz
sevenmilehillsanctuary.com
haah1vjv3ml7yf.xyz
kimberlyquinterorealtor.net
dokumenty-ohrana-77.net
llmnissan439.vip
japanesesake.top
kuoli.xyz
tratamentoseficazes.com
mailkaski.com
alsaudidaily.com
zfjisumk.com
vrijtsnudge.xyz
smallcanberraweddings.com
plaketcad.cfd
lng-i.pro
jaschatfashion.com
synapsereferrals.com
exploringfrontiers.com
uutv201.xyz
ballbocce.com
dihai.net
panemeventsandentertainment.com
newmuny.com
onlinestorageservice.com
cannaglobe.website
minhw.shop
bradcred.com
thwys802.xyz
crictirshs.net
valutazioneimpatto.com
blackoutbundles.com
hnnhf7j4378rq5.xyz
oudfactoryom.com
lazydaisygiftstores.net
firstchoiceassistants.com
wincash88.info
grelion.com
qinyekeji.com
words2watch.com
panzerapish.cfd
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/3128-133-0x0000000000400000-0x0000000001783000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe -
Loads dropped DLL 1 IoCs
pid Process 4956 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3128 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4956 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe 3128 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4956 set thread context of 3128 4956 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe 69 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3128 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe 3128 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4956 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4956 wrote to memory of 3128 4956 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe 69 PID 4956 wrote to memory of 3128 4956 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe 69 PID 4956 wrote to memory of 3128 4956 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe 69 PID 4956 wrote to memory of 3128 4956 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe"C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe"C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3128
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9