Analysis Overview
SHA256
4338ea7febcb6a73ff3a463dc3ff90d8330bfd2cd6d5f760dfe5516c74bdba69
Threat Level: Known bad
The file new-order PI-No202307110.XLS.docx was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Checks QEMU agent file
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Launches Equation Editor
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-08 07:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-08 07:39
Reported
2023-08-08 07:41
Platform
win7-20230712-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Guloader,Cloudeye
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Downloads MZ/PE file
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Roaming\kobee951587.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kobee951587.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kobee951587.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kobee951587.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kobee951587.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
Launches Equation Editor
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\new-order PI-No202307110.XLS.docx"
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Users\Admin\AppData\Roaming\kobee951587.exe
"C:\Users\Admin\AppData\Roaming\kobee951587.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| TR | 194.55.224.13:80 | 194.55.224.13 | tcp |
| TR | 194.55.224.13:80 | 194.55.224.13 | tcp |
| TR | 194.55.224.13:80 | 194.55.224.13 | tcp |
Files
memory/1708-55-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1708-54-0x000000002F830000-0x000000002F98D000-memory.dmp
memory/1708-56-0x00000000718ED000-0x00000000718F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{BD83628D-EAAB-4663-BFF0-A927DF68FFCA}
| MD5 | 14332caff184fd188a5c0445ca069986 |
| SHA1 | b1d1dbb282ae2f0db016bc20814576207f6b352d |
| SHA256 | e09d30c4b14a7fcc334c243676e1a12f0509c49734b3164c57c4704246ee4a42 |
| SHA512 | 59e8dd567a95d749c97a0f0e5ba31505d0dbfffbb268d4b711fae9959b07b3eb3d883030b4f4f242e7fd1e2044f0cfef10f665a2689bcc3ea4024f9595e0c4a7 |
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E7B4EB0C-F852-428F-9695-617BEB7A8938}.FSD
| MD5 | 0d1f62481159ff870f99ccf6d45aa30a |
| SHA1 | 3b3b33a5d4811f472dd7d8f04bf11dda7ed33449 |
| SHA256 | 157ac81271ab3a6aea7c6d3fb73a1fa257cc8e2a8069087806cfcce839460da6 |
| SHA512 | 25ac83f6ae390ec051218600c2c8c290a992950fb0348d5a179d75ca2e24931205baf9a13d9ccd81d7b271157a07407f77614d458d98fbb286afccac7819af5a |
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E7B4EB0C-F852-428F-9695-617BEB7A8938}.FSD
| MD5 | b20b6cc5acd993a22506b2966c172667 |
| SHA1 | eb6468ad3456bbfc4da1c852e5d1f323dd731d53 |
| SHA256 | f787bfb84e7311fcf4352066feef9916728145c78eed08606d95687607cd5b36 |
| SHA512 | 7ffcdbfdabbaef08b2b97293ba199d5d72ce995ced792693f95adaa123e2697d8bf2b5618a42adf511cd00b878116130c9b3ea69897d183469567bfb2f155a15 |
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
| MD5 | 53d8fe731b94b4da46e059d1636f0098 |
| SHA1 | 4229d4df9cf633b7fefa01874f24d8b6f2fb16af |
| SHA256 | a7aa14cdb47f54f3de32587cc95c493d93d2412626903b589c1848d08a627bf8 |
| SHA512 | 0e17695ed1e034ceaf077c42b95fc100d10c5445c664a6a4e5ff2e32386de9f0aaaf1d3461bafdd3787a05a90cca08101d052214d9931fadb44c7bdea21637d5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\kobeezx[1].doc
| MD5 | 822ca31c5b8abc31d5b81fa02278907f |
| SHA1 | a105e79b85f8bb3c7c66a50af1c7b3f8a21ef5ea |
| SHA256 | 8b5a7b79e5537e3f9bc64570f0671948ca33f7a8c979e74be718669c1e20f075 |
| SHA512 | 05bb5930df8265a49fee5fd31c12b9fcef94d96280fa7725a737c42f2821831759fe8b8410adc7729c50d0f73936d214a34a4bafc2c255adfa0d964b8a31d3bb |
\Users\Admin\AppData\Roaming\kobee951587.exe
| MD5 | f9523a569eaa47e6ce6dc10c9b07117b |
| SHA1 | 01859c3360b613e1d8663b8edb702bea32ef65cc |
| SHA256 | 2e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185 |
| SHA512 | 453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b |
C:\Users\Admin\AppData\Roaming\kobee951587.exe
| MD5 | f9523a569eaa47e6ce6dc10c9b07117b |
| SHA1 | 01859c3360b613e1d8663b8edb702bea32ef65cc |
| SHA256 | 2e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185 |
| SHA512 | 453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b |
C:\Users\Admin\AppData\Roaming\kobee951587.exe
| MD5 | f9523a569eaa47e6ce6dc10c9b07117b |
| SHA1 | 01859c3360b613e1d8663b8edb702bea32ef65cc |
| SHA256 | 2e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185 |
| SHA512 | 453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b |
C:\Users\Admin\AppData\Roaming\kobee951587.exe
| MD5 | f9523a569eaa47e6ce6dc10c9b07117b |
| SHA1 | 01859c3360b613e1d8663b8edb702bea32ef65cc |
| SHA256 | 2e97f4d6bf16c0c918f48301129830bf11639ac0090c6eb937b126345fcc2185 |
| SHA512 | 453345710c0cb4f047e05f4b4af112866b9355f885b3d257c83cd75ed4943050d90a7c85b3d186bf81860a2e43d0ebde5b8cbcb7f315d19aee11b81484a9311b |
\Users\Admin\AppData\Local\Temp\nsoD5C7.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
C:\Users\Admin\AppData\Local\Temp\nsoD5C7.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
\Users\Admin\AppData\Local\Temp\nsoD5C7.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
memory/2900-168-0x0000000002CD0000-0x00000000052F6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1708-178-0x000000002F830000-0x000000002F98D000-memory.dmp
memory/1708-179-0x00000000718ED000-0x00000000718F8000-memory.dmp
memory/2900-180-0x0000000002CD0000-0x00000000052F6000-memory.dmp
memory/2900-181-0x0000000077B10000-0x0000000077CB9000-memory.dmp
memory/2900-182-0x0000000077D00000-0x0000000077DD6000-memory.dmp
memory/2900-183-0x0000000002CD0000-0x00000000052F6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 36d5589496aab235dac498d692b997fa |
| SHA1 | 921c32739e3b756c48e88f7369b2168ff125aba7 |
| SHA256 | 7b838896ab9b3d9a560785f172eb2c36115ff1b5229d0990aa48beb30e2fa2f9 |
| SHA512 | 3c047ec4773bb0acd83d6af120fcfd8220afc69656f40054b29016fac579540fe612f16ee88ff0351df53b85531f3d1be572f9de04464ce4ca11758cf688bcbf |
memory/1708-208-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1708-209-0x00000000718ED000-0x00000000718F8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-08 07:39
Reported
2023-08-08 07:41
Platform
win10v2004-20230703-en
Max time kernel
123s
Max time network
137s
Command Line
Signatures
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeAuditPrivilege | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\new-order PI-No202307110.XLS.docx" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/4868-133-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4868-134-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4868-135-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-137-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-136-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4868-139-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4868-138-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4868-140-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-141-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-142-0x00007FFC07C50000-0x00007FFC07C60000-memory.dmp
memory/4868-143-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-144-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-146-0x00007FFC07C50000-0x00007FFC07C60000-memory.dmp
memory/4868-147-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-145-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-148-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-149-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-150-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-151-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-152-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-153-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-155-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-156-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/4868-170-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-171-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-175-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4868-201-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4868-202-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4868-203-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4868-204-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4868-205-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp