Analysis
-
max time kernel
144s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 13:00
Static task
static1
Behavioral task
behavioral1
Sample
370eb5b97aae87849c88174742049624.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
370eb5b97aae87849c88174742049624.exe
Resource
win10v2004-20231215-en
General
-
Target
370eb5b97aae87849c88174742049624.exe
-
Size
60KB
-
MD5
370eb5b97aae87849c88174742049624
-
SHA1
c6269ee6a89a9b23edd760f6f3824967886302ca
-
SHA256
ecb4237d66f2000f1cefc832ff1f03a91856f1374646e80855c29eba23abe794
-
SHA512
d0d6740acaa82cbcdff072a94cac2d695b5d75123c0ce177cc7e034b7e2cc3f77e5158436fca23034511a15828072be274df689794ae933f47973c76e2c6e8e3
-
SSDEEP
768:uS8R8zs0uTCaclwUk+W5qXgXT/JdfFRj0Vl/z:uSM0uTXclwUk/51j/Dr2pz
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1lw277A8TCTymmoU3xcAVyYliTFln3LiG
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4356-2-0x0000000000750000-0x0000000000757000-memory.dmp family_guloader behavioral2/memory/1520-4-0x0000000000960000-0x0000000000A60000-memory.dmp family_guloader -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\FORMIDDA = "C:\\Users\\Admin\\Rejseg\\REGENTAL.exe" RegAsm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
370eb5b97aae87849c88174742049624.exeRegAsm.exepid process 4356 370eb5b97aae87849c88174742049624.exe 1520 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
370eb5b97aae87849c88174742049624.exedescription pid process target process PID 4356 set thread context of 1520 4356 370eb5b97aae87849c88174742049624.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
370eb5b97aae87849c88174742049624.exepid process 4356 370eb5b97aae87849c88174742049624.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
370eb5b97aae87849c88174742049624.exepid process 4356 370eb5b97aae87849c88174742049624.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
370eb5b97aae87849c88174742049624.exedescription pid process target process PID 4356 wrote to memory of 1520 4356 370eb5b97aae87849c88174742049624.exe RegAsm.exe PID 4356 wrote to memory of 1520 4356 370eb5b97aae87849c88174742049624.exe RegAsm.exe PID 4356 wrote to memory of 1520 4356 370eb5b97aae87849c88174742049624.exe RegAsm.exe PID 4356 wrote to memory of 1520 4356 370eb5b97aae87849c88174742049624.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\370eb5b97aae87849c88174742049624.exe"C:\Users\Admin\AppData\Local\Temp\370eb5b97aae87849c88174742049624.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\370eb5b97aae87849c88174742049624.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1520-4-0x0000000000960000-0x0000000000A60000-memory.dmpFilesize
1024KB
-
memory/1520-5-0x0000000077A91000-0x0000000077BB1000-memory.dmpFilesize
1.1MB
-
memory/4356-2-0x0000000000750000-0x0000000000757000-memory.dmpFilesize
28KB
-
memory/4356-3-0x0000000077A91000-0x0000000077BB1000-memory.dmpFilesize
1.1MB
-
memory/4356-7-0x0000000000750000-0x0000000000757000-memory.dmpFilesize
28KB
-
memory/4356-17-0x0000000000750000-0x0000000000757000-memory.dmpFilesize
28KB