Analysis Overview
SHA256
6065cbb9fb0ae29dbdeca23edc1869c329d71fa17cce27daead9fdfec4b48c42
Threat Level: Known bad
The file WB Documents No-285380XXX.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Checks QEMU agent file
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-07 06:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-07 06:44
Reported
2023-08-07 06:46
Platform
win7-20230712-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\eksponer\handstaff\Verruga\bukselommens.coa | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe
"C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsy7EE1.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
C:\Users\Admin\AppData\Local\Temp\nsy7EE1.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
\Users\Admin\AppData\Local\Temp\nsy7EE1.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
memory/2472-66-0x00000000027A0000-0x00000000056A3000-memory.dmp
memory/2472-67-0x0000000077020000-0x00000000771C9000-memory.dmp
memory/2472-68-0x0000000077210000-0x00000000772E6000-memory.dmp
memory/2472-69-0x00000000027A0000-0x00000000056A3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-07 06:44
Reported
2023-08-07 06:46
Platform
win10v2004-20230703-en
Max time kernel
128s
Max time network
152s
Command Line
Signatures
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\eksponer\handstaff\Verruga\bukselommens.coa | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe
"C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1044
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.7.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.128.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.141.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nswB065.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
C:\Users\Admin\AppData\Local\Temp\nswB065.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
C:\Users\Admin\AppData\Local\Temp\nswB065.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
memory/4344-144-0x0000000002A80000-0x0000000005983000-memory.dmp
memory/4344-145-0x0000000077E31000-0x0000000077F51000-memory.dmp
memory/4344-146-0x0000000002A80000-0x0000000005983000-memory.dmp