Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 12:31
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents_pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
shipping documents_pdf.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
shipping documents_pdf.exe
-
Size
372KB
-
MD5
bd62f17940dfd751c9819c454cc69bc5
-
SHA1
fb98c9cad78cc269181e3eee7f14b89f74e04b09
-
SHA256
32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482
-
SHA512
bff52c0a232b12a9369264b824583493448f0ee70381271dcd9f0214fefd48a0b9527c7bf7ecb75b651f8b9a942924037eb22340da768531c876823b9027a617
-
SSDEEP
6144:0GYgXWlQwTiuj8KHwL0+OulsWJyaAt/wVcmBkTv6+CuxUHAKsvJT8wGl8KRLTm9O:tDGvj8KHwLbHdE/wRBSzCuxBKiZGl8LO
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
pid Process 2236 shipping documents_pdf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 drive.google.com 4 drive.google.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2236 shipping documents_pdf.exe 1944 shipping documents_pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2236 set thread context of 1944 2236 shipping documents_pdf.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\svbenes.lnk shipping documents_pdf.exe File opened for modification C:\Program Files (x86)\svbenes.lnk shipping documents_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2236 shipping documents_pdf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1944 2236 shipping documents_pdf.exe 30 PID 2236 wrote to memory of 1944 2236 shipping documents_pdf.exe 30 PID 2236 wrote to memory of 1944 2236 shipping documents_pdf.exe 30 PID 2236 wrote to memory of 1944 2236 shipping documents_pdf.exe 30 PID 2236 wrote to memory of 1944 2236 shipping documents_pdf.exe 30 PID 2236 wrote to memory of 1944 2236 shipping documents_pdf.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
864B
MD5e46bab0f6f023d2a3fa6606b7f150b7c
SHA1f2b4dd7317c8f08976b06e58ea95cde705b22a99
SHA256ddb449bc2845a618168cabd8690e030f57bf3221b4d8f46d55abd28ac02f55d0
SHA512b9651256a2b3572587cd7892338720b16740b3ab05ac71eea81eae14ba6cdad1d58c6331cba5eeb4fe109350fc63f9fa5a4b8a5fa768d107ddc49a408a2d2cc9
-
Filesize
105B
MD538c6f7822cd89991db6fccc5b04b96c9
SHA1cec31a690a8d9395d59946690f7528ce5f5e0114
SHA2562eba686a57cb8d9b9633c14fdb01b45f88dda41e4c1b5ad9e04c76342d028146
SHA512a6cb93d984fe69f4f4a2bda9001dac25897e6127ccb848762999a9eb8d18d69fbda7308eb1e8d32f9b9e94678b874dcede10066980a56333d8a2d19a5a7a0db8
-
Filesize
83B
MD52036172597e1b4963fd3b7e13d40673a
SHA17e0bf45ec820a491bba227bf40ffd241f7c64dd0
SHA256884a935a2c03c220dfeb62bea02d289069c5f84e3dc6cabe4c606e884362790a
SHA512e5c74658515b7b9a976b1d70d133ff1faad87336e28827b91f07fa33a9edee9d9dc235b8625f066340030a541fe329d4ba85ec8c8c1991ff78284d638fc4279b
-
Filesize
100B
MD5a5abbcb8df7be9fb106cf4b866de5789
SHA13ade531f3aee7c2ed0d3a99eeb9ddf81b37e1f64
SHA256f3e010af71ac7ee31d4e97940983e9d7b4860f35daae17da8aac46f17b3ec13f
SHA51218d4860fd132e0bdecae35743d2c065c7e17bf1c38ed0199a59738100eec4fe820832b4a99e88a212e57b05d85bbca5a3a642a94d840674438c1f70b766f835f
-
Filesize
72B
MD5779b80f06dc17e0308cd0a7c5098b4a8
SHA1c951e91e8d44f20219c1888107b084c1ea7e82a0
SHA256169b4ba95045bdca9d7e95eb057ad0efb0549fac78959a05a27af5640470d3ac
SHA512ae1fe68c0188be4da7055b3c452a3aef26fdfeddecd7b745f97779da2d31ae8d94c6f98c0bfef11e2ca40ea02f414e7c6394a2e7077137481358041f9ae16031
-
Filesize
83B
MD598d7d71899b69bd6c8e6a37c9b00eb66
SHA1cfb50ec65212d957e1dada3e1f4ef412e4140322
SHA25621b3c141417f1b236a826ac3484fead173f3de9393971636d816089740fe6261
SHA5124c5815ed873b647eae7e06914d34c6fddaaff6ccab448969c0e4bf53d05a93391d6ecba0a72c21bf77da5b0387d7cd5b0cb02eef4afd397eb0e1da94cdaf364b
-
Filesize
93B
MD531c6763348290b55937c299798397fc4
SHA1e3fb904fb7d0c4783d6eadd27cbb6490d9dbdb62
SHA25654f670713e05b4255779429774d8449e432390becf3059efa49b2d48e34ead37
SHA512f79cdbada225aa94c959d4be3a448194da1b209b47adb693a94c78b50cd9cd2cefb13028525f10a46ffc0fab6fa0e85245ce3a0e3c01d1b657c5557dcd16e383
-
Filesize
61B
MD5c214d3d493e42611d47a33fafb39bc06
SHA1ab6d2d1e65bd5a5842350a0098c3f36627a4b59d
SHA2561ef2f84d2867769f0c9754089267b1b5cb8c372aef14de4a6f41da07966fd3d2
SHA512218cdb58f9d3e7e85f6e19cf9981255b374b9f641c02cc392976e7a0120ae4d2c8f9762f4d2711350b8c3612be69e8512cc091d37d33deb8cb265974f7ac4b1b
-
Filesize
77B
MD57c9994efba81832c70af271c1579e0a6
SHA13a1cce125bc46a691317257b23f134bc18720621
SHA2566a6e175a7ca2f7a483b70f797aab60749f9a8f911511a4cc2fb669cb04ed7530
SHA5125021ef22848dd750ce8f866d2f9ea8154dba5bab373578de9aaf26189898d89f32355de396e4e444621d78e1284690304c3d459e9721a246ce795f11b10f1c56
-
Filesize
105B
MD5fe75d42e640aa75505ec138c70140276
SHA106e551b4c6ebcae0123c906c29acf97fc81c8f41
SHA256e82158dea2e25b8f6dd0ba3b714f35af07645243565bb340c34fd63288281f24
SHA5126589636c8ee71c6fceae8cf3f26ba20448dfb0a25f28e8f52493dc18ac18e5fb55a0c977c5ed7db9d0ce00e7709d5a7c06d92e89aa3ed8044a61052daae02394
-
Filesize
92B
MD59c847f1ad21f08842521a173b9d00432
SHA1d987cb50a957666f4089f604d34a7be0ee2a17f7
SHA25663c28f692fcc1bc08347f6b1cdc814602a08967fe3a64b967cea3ada69af2a44
SHA512c90ba042249970d2d85f40cc60f765d46d55127bb398839f2d2a126e47762e1c75a646ae414b33e20d5b46c63be2962539d6b42027d05ffc8d0fe2830fd8d359
-
Filesize
101B
MD5614ecfc851e7e863309121f8137f266f
SHA1c6f0fe87be453ef9ccc55c724a9a0a8f73fdeffd
SHA256757c044693441357d1e3efe2be7385f888ee33f80bb8d57b01f49ffbc420fd63
SHA5129581acdafa8b36610845552ea6c24954efa585dff300f56d72e26d9536e73872b05fc1d7e53a66d3e663702554eff2c3683fae2589f1c7eb2650584b43a1b781
-
Filesize
105B
MD5ea9cb56bf8b284444ac0d5f604e323c6
SHA1c2fe4d26b795e26615d7597df3ba1cbd83547248
SHA25616607c7901e408b5e4367e8da3b8dfc51d0b47e110e3dc291a9d0951595443a6
SHA512359141fd551a91bf8c306e655f8efcfd98f3c1f1058a62f2575e420731ceb175dc7cafe25ffca64e963517aaf756f1cd062f0aa2e20f01af1427a0ecd9d5a95b
-
Filesize
11KB
MD5ee260c45e97b62a5e42f17460d406068
SHA1df35f6300a03c4d3d3bd69752574426296b78695
SHA256e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3