Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

New Order.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    2699s
  • max time network
    2701s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05/03/2024, 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.exe

  • Size

    634KB

  • MD5

    7c719e9f0ac2aa430841a5c53a13e5c4

  • SHA1

    9e908a8634e3ad3e98fb2b92921b13fa07ade434

  • SHA256

    9fefd5cbebe1a5c768a46b5615f116e03d2ae863049720fb4e32bf2cd253dc62

  • SHA512

    51c4727669ec364840d5e30c0414b96f32707a3d7b09cd9861bb0be0f9c7878a2c76637c86f120d968f4f280f3ce1e4f308cd4407e883df1d23664d1a642bbdc

  • SSDEEP

    12288:s1nnUt8ih8xaobFBTl5L8cMZnPsepuOgO6WAcopzgalClA74:+nUtvh8xvbFBTPL8c8P5ph1AxpzgaY

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Users\Admin\AppData\Local\Temp\New Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsq7BAA.tmp\lystfiskerne.ini
    Filesize

    34B

    MD5

    69612515c757912debee274ddd94b80d

    SHA1

    9df1ef49945313ba4cce67e366a87372e3e836e5

    SHA256

    445fa5ecf94387f7eb337d49e5ebb916b2b70a5c8f2d9ce2f3366edb2a1e7b6b

    SHA512

    101a2f247c09ff780120bcff5f2509405d85da7dfd6c83042937cd830de23ae01e65448e23c763f5c4111de1969a2dadd03764c09cba7f7fdc40cdf72188beb8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsq7BAA.tmp\System.dll
    Filesize

    12KB

    MD5

    61429bf00b8e34bd54c813bd2f5d09b9

    SHA1

    6b04e40ea730fe7e19f9b93ce2a76108f91910aa

    SHA256

    2d14e82ace016d0f0ee4fe29df6503955f6a77f3e705424427c1555411539a0e

    SHA512

    97e8e63a26ce48730df18b8c924127028635ecbc9658a74031b1db0dc039df81d25eb60615493fab029e1612ada6019157109ebca706cacff802165cb669fe7d

    Download Submit

  • memory/504-12569-0x00007FF8F4180000-0x00007FF8F435B000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/504-12578-0x0000000077D01000-0x0000000077E14000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/504-12575-0x0000000001790000-0x0000000004652000-memory.dmp

    Filesize

    46.8MB

    Download

  • memory/504-12571-0x0000000000400000-0x0000000001783000-memory.dmp

    Filesize

    19.5MB

    Download

  • memory/504-12570-0x0000000077D86000-0x0000000077D87000-memory.dmp

    Filesize

    4KB

    Download

  • memory/504-12566-0x0000000000400000-0x0000000001783000-memory.dmp

    Filesize

    19.5MB

    Download

  • memory/504-12568-0x0000000001790000-0x0000000004652000-memory.dmp

    Filesize

    46.8MB

    Download

  • memory/3740-12562-0x0000000004FC0000-0x0000000007E82000-memory.dmp

    Filesize

    46.8MB

    Download

  • memory/3740-12565-0x0000000073E80000-0x0000000073E87000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3740-12564-0x0000000077D01000-0x0000000077E14000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3740-12563-0x00007FF8F4180000-0x00007FF8F435B000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3740-12561-0x0000000004FC0000-0x0000000007E82000-memory.dmp

    Filesize

    46.8MB

    Download