Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
08/08/2023, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
new-order PI-No202307110.XLS.docx
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
new-order PI-No202307110.XLS.docx
Resource
win10v2004-20230703-en
General
-
Target
new-order PI-No202307110.XLS.docx
-
Size
11KB
-
MD5
ed203e9a95bb5aed220c02e3e41840aa
-
SHA1
5b90a10971c35a3f45e58e122c0e25e4049cbb98
-
SHA256
4338ea7febcb6a73ff3a463dc3ff90d8330bfd2cd6d5f760dfe5516c74bdba69
-
SHA512
9aeafbe447f47a30ebea465fc759f5dc27fb18c49ac5ff34d23075f04f4943f2f95a56a462840c0e12a5636b1cf937308f8041359bc43a00c9e34e5f3cf3c2be
-
SSDEEP
192:mya0NnReBWk4N5eNA2A+EnVs+mg1SoBOJYaO36PvdrK16LvnY93cWeszUyDjB:myXnReBWku5+A2bkBdBOJYaOqPg6Lw9Z
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 948 EQNEDT32.EXE -
Downloads MZ/PE file
-
Checks QEMU agent file 2 TTPs 1 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe kobee951587.exe -
Executes dropped EXE 1 IoCs
pid Process 2900 kobee951587.exe -
Loads dropped DLL 3 IoCs
pid Process 948 EQNEDT32.EXE 2900 kobee951587.exe 2900 kobee951587.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2900 kobee951587.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 948 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1708 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1708 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1708 WINWORD.EXE 1708 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 948 wrote to memory of 2900 948 EQNEDT32.EXE 30 PID 948 wrote to memory of 2900 948 EQNEDT32.EXE 30 PID 948 wrote to memory of 2900 948 EQNEDT32.EXE 30 PID 948 wrote to memory of 2900 948 EQNEDT32.EXE 30 PID 1708 wrote to memory of 1696 1708 WINWORD.EXE 35 PID 1708 wrote to memory of 1696 1708 WINWORD.EXE 35 PID 1708 wrote to memory of 1696 1708 WINWORD.EXE 35 PID 1708 wrote to memory of 1696 1708 WINWORD.EXE 35
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\new-order PI-No202307110.XLS.docx"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1696
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Roaming\kobee951587.exe"C:\Users\Admin\AppData\Roaming\kobee951587.exe"2⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E7B4EB0C-F852-428F-9695-617BEB7A8938}.FSD
Filesize128KB
MD50d1f62481159ff870f99ccf6d45aa30a
SHA13b3b33a5d4811f472dd7d8f04bf11dda7ed33449
SHA256157ac81271ab3a6aea7c6d3fb73a1fa257cc8e2a8069087806cfcce839460da6
SHA51225ac83f6ae390ec051218600c2c8c290a992950fb0348d5a179d75ca2e24931205baf9a13d9ccd81d7b271157a07407f77614d458d98fbb286afccac7819af5a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E7B4EB0C-F852-428F-9695-617BEB7A8938}.FSD
Filesize128KB
MD5b20b6cc5acd993a22506b2966c172667
SHA1eb6468ad3456bbfc4da1c852e5d1f323dd731d53
SHA256f787bfb84e7311fcf4352066feef9916728145c78eed08606d95687607cd5b36
SHA5127ffcdbfdabbaef08b2b97293ba199d5d72ce995ced792693f95adaa123e2697d8bf2b5618a42adf511cd00b878116130c9b3ea69897d183469567bfb2f155a15
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD553d8fe731b94b4da46e059d1636f0098
SHA14229d4df9cf633b7fefa01874f24d8b6f2fb16af
SHA256a7aa14cdb47f54f3de32587cc95c493d93d2412626903b589c1848d08a627bf8
SHA5120e17695ed1e034ceaf077c42b95fc100d10c5445c664a6a4e5ff2e32386de9f0aaaf1d3461bafdd3787a05a90cca08101d052214d9931fadb44c7bdea21637d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\kobeezx[1].doc
Filesize80KB
MD5822ca31c5b8abc31d5b81fa02278907f
SHA1a105e79b85f8bb3c7c66a50af1c7b3f8a21ef5ea
SHA2568b5a7b79e5537e3f9bc64570f0671948ca33f7a8c979e74be718669c1e20f075
SHA51205bb5930df8265a49fee5fd31c12b9fcef94d96280fa7725a737c42f2821831759fe8b8410adc7729c50d0f73936d214a34a4bafc2c255adfa0d964b8a31d3bb
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
-
Filesize
128KB
MD514332caff184fd188a5c0445ca069986
SHA1b1d1dbb282ae2f0db016bc20814576207f6b352d
SHA256e09d30c4b14a7fcc334c243676e1a12f0509c49734b3164c57c4704246ee4a42
SHA51259e8dd567a95d749c97a0f0e5ba31505d0dbfffbb268d4b711fae9959b07b3eb3d883030b4f4f242e7fd1e2044f0cfef10f665a2689bcc3ea4024f9595e0c4a7
-
Filesize
20KB
MD536d5589496aab235dac498d692b997fa
SHA1921c32739e3b756c48e88f7369b2168ff125aba7
SHA2567b838896ab9b3d9a560785f172eb2c36115ff1b5229d0990aa48beb30e2fa2f9
SHA5123c047ec4773bb0acd83d6af120fcfd8220afc69656f40054b29016fac579540fe612f16ee88ff0351df53b85531f3d1be572f9de04464ce4ca11758cf688bcbf
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
476KB
MD5f9523a569eaa47e6ce6dc10c9b07117b
SHA101859c3360b613e1d8663b8edb702bea32ef65cc
SHA2562e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185
SHA512453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b
-
Filesize
476KB
MD5f9523a569eaa47e6ce6dc10c9b07117b
SHA101859c3360b613e1d8663b8edb702bea32ef65cc
SHA2562e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185
SHA512453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b
-
Filesize
476KB
MD5f9523a569eaa47e6ce6dc10c9b07117b
SHA101859c3360b613e1d8663b8edb702bea32ef65cc
SHA2562e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185
SHA512453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
-
Filesize
476KB
MD5f9523a569eaa47e6ce6dc10c9b07117b
SHA101859c3360b613e1d8663b8edb702bea32ef65cc
SHA2562e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185
SHA512453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b