Overview

overview

10

Static

static

3

New Order.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    2699s
  • max time network
    2701s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05/03/2024, 15:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.exe

  • Size

    634KB

  • MD5

    7c719e9f0ac2aa430841a5c53a13e5c4

  • SHA1

    9e908a8634e3ad3e98fb2b92921b13fa07ade434

  • SHA256

    9fefd5cbebe1a5c768a46b5615f116e03d2ae863049720fb4e32bf2cd253dc62

  • SHA512

    51c4727669ec364840d5e30c0414b96f32707a3d7b09cd9861bb0be0f9c7878a2c76637c86f120d968f4f280f3ce1e4f308cd4407e883df1d23664d1a642bbdc

  • SSDEEP

    12288:s1nnUt8ih8xaobFBTl5L8cMZnPsepuOgO6WAcopzgalClA74:+nUtvh8xvbFBTPL8c8P5ph1AxpzgaY

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Users\Admin\AppData\Local\Temp\New Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:504

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsq7BAA.tmp\lystfiskerne.ini
          Filesize

          34B

          MD5

          69612515c757912debee274ddd94b80d

          SHA1

          9df1ef49945313ba4cce67e366a87372e3e836e5

          SHA256

          445fa5ecf94387f7eb337d49e5ebb916b2b70a5c8f2d9ce2f3366edb2a1e7b6b

          SHA512

          101a2f247c09ff780120bcff5f2509405d85da7dfd6c83042937cd830de23ae01e65448e23c763f5c4111de1969a2dadd03764c09cba7f7fdc40cdf72188beb8

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsq7BAA.tmp\System.dll
          Filesize

          12KB

          MD5

          61429bf00b8e34bd54c813bd2f5d09b9

          SHA1

          6b04e40ea730fe7e19f9b93ce2a76108f91910aa

          SHA256

          2d14e82ace016d0f0ee4fe29df6503955f6a77f3e705424427c1555411539a0e

          SHA512

          97e8e63a26ce48730df18b8c924127028635ecbc9658a74031b1db0dc039df81d25eb60615493fab029e1612ada6019157109ebca706cacff802165cb669fe7d

          Download Submit

        • memory/504-12569-0x00007FF8F4180000-0x00007FF8F435B000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/504-12578-0x0000000077D01000-0x0000000077E14000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/504-12575-0x0000000001790000-0x0000000004652000-memory.dmp

          Filesize

          46.8MB

          Download

        • memory/504-12571-0x0000000000400000-0x0000000001783000-memory.dmp

          Filesize

          19.5MB

          Download

        • memory/504-12570-0x0000000077D86000-0x0000000077D87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/504-12566-0x0000000000400000-0x0000000001783000-memory.dmp

          Filesize

          19.5MB

          Download

        • memory/504-12568-0x0000000001790000-0x0000000004652000-memory.dmp

          Filesize

          46.8MB

          Download

        • memory/3740-12562-0x0000000004FC0000-0x0000000007E82000-memory.dmp

          Filesize

          46.8MB

          Download

        • memory/3740-12565-0x0000000073E80000-0x0000000073E87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3740-12564-0x0000000077D01000-0x0000000077E14000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3740-12563-0x00007FF8F4180000-0x00007FF8F435B000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3740-12561-0x0000000004FC0000-0x0000000007E82000-memory.dmp

          Filesize

          46.8MB

          Download