Analysis

  • max time kernel
    148s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2024 05:18

General

  • Target

    cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe

  • Size

    1.1MB

  • MD5

    2ac9cd56e3877efa00a0353cde71186f

  • SHA1

    d0460a2b1fe30c342216048c4390af045b120146

  • SHA256

    cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac

  • SHA512

    e78d405d9b92319d396d488e4c104021a224789fabf09a278d252e1aa407cae1ce4d3562f1e6a18bc3151e16049a1a6d3687b6a4578fc4c946349d5292eb9e2d

  • SSDEEP

    24576:oS5HuMJiUsl/f4g0lnQFpy54j3BjqgMQUWhypBj:B5o/falnQ+54j3ZftUNBj

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe
    "C:\Users\Admin\AppData\Local\Temp\cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Program Files (x86)\windows mail\wab.exe
      "C:\Users\Admin\AppData\Local\Temp\cbfc10741fb440a5c351bb62a9ffbe13d8fb90304925bee56ac6dd54a8e001ac.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2708

Network

  • flag-us
    DNS
    173.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    173.178.17.96.in-addr.arpa
    IN PTR
    Response
    173.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-173deploystaticakamaitechnologiescom
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    81.171.91.138.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.171.91.138.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    114.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.110.16.96.in-addr.arpa
    IN PTR
    Response
    114.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-114deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    drive.google.com
    Remote address:
    8.8.8.8:53
    Request
    drive.google.com
    IN A
    Response
    drive.google.com
    IN A
    172.217.169.46
  • flag-us
    DNS
    227.16.217.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.16.217.172.in-addr.arpa
    IN PTR
    Response
    227.16.217.172.in-addr.arpa
    IN PTR
    mad08s04-in-f31e100net
    227.16.217.172.in-addr.arpa
    IN PTR
    lhr48s28-in-f3�H
  • flag-us
    DNS
    46.169.217.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    46.169.217.172.in-addr.arpa
    IN PTR
    Response
    46.169.217.172.in-addr.arpa
    IN PTR
    lhr48s08-in-f141e100net
  • flag-us
    DNS
    drive.usercontent.google.com
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.180.1
  • flag-us
    DNS
    1.180.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.180.250.142.in-addr.arpa
    IN PTR
    Response
    1.180.250.142.in-addr.arpa
    IN PTR
    lhr25s32-in-f11e100net
  • 20.231.121.79:80
    260 B
    5
  • 172.217.169.46:443
    drive.google.com
    tls
    1.7kB
    10.8kB
    16
    14
  • 142.250.180.1:443
    drive.usercontent.google.com
    tls
    2.0kB
    13.5kB
    20
    18
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    173.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    173.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    81.171.91.138.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    81.171.91.138.in-addr.arpa

  • 8.8.8.8:53
    114.110.16.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    114.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    drive.google.com
    dns
    62 B
    78 B
    1
    1

    DNS Request

    drive.google.com

    DNS Response

    172.217.169.46

  • 8.8.8.8:53
    227.16.217.172.in-addr.arpa
    dns
    73 B
    140 B
    1
    1

    DNS Request

    227.16.217.172.in-addr.arpa

  • 8.8.8.8:53
    46.169.217.172.in-addr.arpa
    dns
    73 B
    112 B
    1
    1

    DNS Request

    46.169.217.172.in-addr.arpa

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    74 B
    90 B
    1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.180.1

  • 8.8.8.8:53
    1.180.250.142.in-addr.arpa
    dns
    72 B
    110 B
    1
    1

    DNS Request

    1.180.250.142.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsfB784.tmp\System.dll

    Filesize

    11KB

    MD5

    17ed1c86bd67e78ade4712be48a7d2bd

    SHA1

    1cc9fe86d6d6030b4dae45ecddce5907991c01a0

    SHA256

    bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

    SHA512

    0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

  • memory/2708-23-0x0000000001EA0000-0x00000000046ED000-memory.dmp

    Filesize

    40.3MB

  • memory/2708-24-0x0000000077418000-0x0000000077419000-memory.dmp

    Filesize

    4KB

  • memory/2708-25-0x0000000077391000-0x00000000774B1000-memory.dmp

    Filesize

    1.1MB

  • memory/2708-27-0x0000000001EA0000-0x00000000046ED000-memory.dmp

    Filesize

    40.3MB

  • memory/2708-28-0x0000000000C40000-0x0000000001E94000-memory.dmp

    Filesize

    18.3MB

  • memory/5068-19-0x00000000052C0000-0x0000000007B0D000-memory.dmp

    Filesize

    40.3MB

  • memory/5068-20-0x00000000052C0000-0x0000000007B0D000-memory.dmp

    Filesize

    40.3MB

  • memory/5068-21-0x0000000077391000-0x00000000774B1000-memory.dmp

    Filesize

    1.1MB

  • memory/5068-22-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.