Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/08/2023, 06:16

General

  • Target

    Payoffs.exe

  • Size

    485KB

  • MD5

    8d1b9a7a8b8432f44917156c2b90601e

  • SHA1

    655a6ba188174e17dccaeb309bd5356560b6b6a2

  • SHA256

    ff1731ac0ceea544a04afa1526c83d5d6fa0a41fd1cf845e6e81095c9b373ad1

  • SHA512

    b8250f13d4e9eabc31adbc3b183af3c007edae1a03463e7be301e0b4a700a7687135d6a8bf5f4dc8e91cf54693b5c9b34bb2fc8239231bd2bc1915648c69d9d1

  • SSDEEP

    6144:+mOPUV36SmUWwtPU9lg15ux+jN25cVQIvjPTkTke77jKsU4k0+hvzvDlMh/BlU+h:9pWwd0IU5ciGjbmvzTk/5Mh7woD

Score
10/10

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payoffs.exe
    "C:\Users\Admin\AppData\Local\Temp\Payoffs.exe"
    1⤵
    • Loads dropped DLL
    PID:1328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 1032
      2⤵
      • Program crash
      PID:1128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 1032
      2⤵
      • Program crash
      PID:1632
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1328 -ip 1328
    1⤵
      PID:1196
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1328 -ip 1328
      1⤵
        PID:3004

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\nst83E6.tmp\System.dll

              Filesize

              11KB

              MD5

              9625d5b1754bc4ff29281d415d27a0fd

              SHA1

              80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

              SHA256

              c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

              SHA512

              dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

            • C:\Users\Admin\AppData\Local\Temp\nst83E6.tmp\System.dll

              Filesize

              11KB

              MD5

              9625d5b1754bc4ff29281d415d27a0fd

              SHA1

              80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

              SHA256

              c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

              SHA512

              dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

            • C:\Users\Admin\AppData\Local\Temp\nst83E6.tmp\System.dll

              Filesize

              11KB

              MD5

              9625d5b1754bc4ff29281d415d27a0fd

              SHA1

              80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

              SHA256

              c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

              SHA512

              dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

            • memory/1328-145-0x00000000032A0000-0x0000000005125000-memory.dmp

              Filesize

              30.5MB

            • memory/1328-146-0x00000000032A0000-0x0000000005125000-memory.dmp

              Filesize

              30.5MB