Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 12:31

General

  • Target

    shipping documents_pdf.exe

  • Size

    372KB

  • MD5

    bd62f17940dfd751c9819c454cc69bc5

  • SHA1

    fb98c9cad78cc269181e3eee7f14b89f74e04b09

  • SHA256

    32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482

  • SHA512

    bff52c0a232b12a9369264b824583493448f0ee70381271dcd9f0214fefd48a0b9527c7bf7ecb75b651f8b9a942924037eb22340da768531c876823b9027a617

  • SSDEEP

    6144:0GYgXWlQwTiuj8KHwL0+OulsWJyaAt/wVcmBkTv6+CuxUHAKsvJT8wGl8KRLTm9O:tDGvj8KHwLbHdE/wRBSzCuxBKiZGl8LO

Score
10/10

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1944

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\svbenes.lnk

          Filesize

          864B

          MD5

          e46bab0f6f023d2a3fa6606b7f150b7c

          SHA1

          f2b4dd7317c8f08976b06e58ea95cde705b22a99

          SHA256

          ddb449bc2845a618168cabd8690e030f57bf3221b4d8f46d55abd28ac02f55d0

          SHA512

          b9651256a2b3572587cd7892338720b16740b3ab05ac71eea81eae14ba6cdad1d58c6331cba5eeb4fe109350fc63f9fa5a4b8a5fa768d107ddc49a408a2d2cc9

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          105B

          MD5

          38c6f7822cd89991db6fccc5b04b96c9

          SHA1

          cec31a690a8d9395d59946690f7528ce5f5e0114

          SHA256

          2eba686a57cb8d9b9633c14fdb01b45f88dda41e4c1b5ad9e04c76342d028146

          SHA512

          a6cb93d984fe69f4f4a2bda9001dac25897e6127ccb848762999a9eb8d18d69fbda7308eb1e8d32f9b9e94678b874dcede10066980a56333d8a2d19a5a7a0db8

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          83B

          MD5

          2036172597e1b4963fd3b7e13d40673a

          SHA1

          7e0bf45ec820a491bba227bf40ffd241f7c64dd0

          SHA256

          884a935a2c03c220dfeb62bea02d289069c5f84e3dc6cabe4c606e884362790a

          SHA512

          e5c74658515b7b9a976b1d70d133ff1faad87336e28827b91f07fa33a9edee9d9dc235b8625f066340030a541fe329d4ba85ec8c8c1991ff78284d638fc4279b

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          100B

          MD5

          a5abbcb8df7be9fb106cf4b866de5789

          SHA1

          3ade531f3aee7c2ed0d3a99eeb9ddf81b37e1f64

          SHA256

          f3e010af71ac7ee31d4e97940983e9d7b4860f35daae17da8aac46f17b3ec13f

          SHA512

          18d4860fd132e0bdecae35743d2c065c7e17bf1c38ed0199a59738100eec4fe820832b4a99e88a212e57b05d85bbca5a3a642a94d840674438c1f70b766f835f

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          72B

          MD5

          779b80f06dc17e0308cd0a7c5098b4a8

          SHA1

          c951e91e8d44f20219c1888107b084c1ea7e82a0

          SHA256

          169b4ba95045bdca9d7e95eb057ad0efb0549fac78959a05a27af5640470d3ac

          SHA512

          ae1fe68c0188be4da7055b3c452a3aef26fdfeddecd7b745f97779da2d31ae8d94c6f98c0bfef11e2ca40ea02f414e7c6394a2e7077137481358041f9ae16031

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          83B

          MD5

          98d7d71899b69bd6c8e6a37c9b00eb66

          SHA1

          cfb50ec65212d957e1dada3e1f4ef412e4140322

          SHA256

          21b3c141417f1b236a826ac3484fead173f3de9393971636d816089740fe6261

          SHA512

          4c5815ed873b647eae7e06914d34c6fddaaff6ccab448969c0e4bf53d05a93391d6ecba0a72c21bf77da5b0387d7cd5b0cb02eef4afd397eb0e1da94cdaf364b

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          93B

          MD5

          31c6763348290b55937c299798397fc4

          SHA1

          e3fb904fb7d0c4783d6eadd27cbb6490d9dbdb62

          SHA256

          54f670713e05b4255779429774d8449e432390becf3059efa49b2d48e34ead37

          SHA512

          f79cdbada225aa94c959d4be3a448194da1b209b47adb693a94c78b50cd9cd2cefb13028525f10a46ffc0fab6fa0e85245ce3a0e3c01d1b657c5557dcd16e383

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          61B

          MD5

          c214d3d493e42611d47a33fafb39bc06

          SHA1

          ab6d2d1e65bd5a5842350a0098c3f36627a4b59d

          SHA256

          1ef2f84d2867769f0c9754089267b1b5cb8c372aef14de4a6f41da07966fd3d2

          SHA512

          218cdb58f9d3e7e85f6e19cf9981255b374b9f641c02cc392976e7a0120ae4d2c8f9762f4d2711350b8c3612be69e8512cc091d37d33deb8cb265974f7ac4b1b

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          77B

          MD5

          7c9994efba81832c70af271c1579e0a6

          SHA1

          3a1cce125bc46a691317257b23f134bc18720621

          SHA256

          6a6e175a7ca2f7a483b70f797aab60749f9a8f911511a4cc2fb669cb04ed7530

          SHA512

          5021ef22848dd750ce8f866d2f9ea8154dba5bab373578de9aaf26189898d89f32355de396e4e444621d78e1284690304c3d459e9721a246ce795f11b10f1c56

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          105B

          MD5

          fe75d42e640aa75505ec138c70140276

          SHA1

          06e551b4c6ebcae0123c906c29acf97fc81c8f41

          SHA256

          e82158dea2e25b8f6dd0ba3b714f35af07645243565bb340c34fd63288281f24

          SHA512

          6589636c8ee71c6fceae8cf3f26ba20448dfb0a25f28e8f52493dc18ac18e5fb55a0c977c5ed7db9d0ce00e7709d5a7c06d92e89aa3ed8044a61052daae02394

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          92B

          MD5

          9c847f1ad21f08842521a173b9d00432

          SHA1

          d987cb50a957666f4089f604d34a7be0ee2a17f7

          SHA256

          63c28f692fcc1bc08347f6b1cdc814602a08967fe3a64b967cea3ada69af2a44

          SHA512

          c90ba042249970d2d85f40cc60f765d46d55127bb398839f2d2a126e47762e1c75a646ae414b33e20d5b46c63be2962539d6b42027d05ffc8d0fe2830fd8d359

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          101B

          MD5

          614ecfc851e7e863309121f8137f266f

          SHA1

          c6f0fe87be453ef9ccc55c724a9a0a8f73fdeffd

          SHA256

          757c044693441357d1e3efe2be7385f888ee33f80bb8d57b01f49ffbc420fd63

          SHA512

          9581acdafa8b36610845552ea6c24954efa585dff300f56d72e26d9536e73872b05fc1d7e53a66d3e663702554eff2c3683fae2589f1c7eb2650584b43a1b781

        • C:\Users\Admin\AppData\Local\Temp\Setup.ini

          Filesize

          105B

          MD5

          ea9cb56bf8b284444ac0d5f604e323c6

          SHA1

          c2fe4d26b795e26615d7597df3ba1cbd83547248

          SHA256

          16607c7901e408b5e4367e8da3b8dfc51d0b47e110e3dc291a9d0951595443a6

          SHA512

          359141fd551a91bf8c306e655f8efcfd98f3c1f1058a62f2575e420731ceb175dc7cafe25ffca64e963517aaf756f1cd062f0aa2e20f01af1427a0ecd9d5a95b

        • \Users\Admin\AppData\Local\Temp\nso9DB8.tmp\System.dll

          Filesize

          11KB

          MD5

          ee260c45e97b62a5e42f17460d406068

          SHA1

          df35f6300a03c4d3d3bd69752574426296b78695

          SHA256

          e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

          SHA512

          a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

        • memory/1944-11792-0x0000000076E90000-0x0000000077039000-memory.dmp

          Filesize

          1.7MB

        • memory/1944-11789-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/1944-11791-0x0000000001470000-0x0000000002353000-memory.dmp

          Filesize

          14.9MB

        • memory/1944-11793-0x00000000770B6000-0x00000000770B7000-memory.dmp

          Filesize

          4KB

        • memory/1944-11794-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/1944-11820-0x0000000001470000-0x0000000002353000-memory.dmp

          Filesize

          14.9MB

        • memory/1944-11821-0x0000000077080000-0x0000000077156000-memory.dmp

          Filesize

          856KB

        • memory/2236-11787-0x0000000077080000-0x0000000077156000-memory.dmp

          Filesize

          856KB

        • memory/2236-11786-0x0000000076E90000-0x0000000077039000-memory.dmp

          Filesize

          1.7MB

        • memory/2236-11788-0x0000000010000000-0x0000000010006000-memory.dmp

          Filesize

          24KB

        • memory/2236-11790-0x0000000003970000-0x0000000004853000-memory.dmp

          Filesize

          14.9MB

        • memory/2236-11785-0x0000000003970000-0x0000000004853000-memory.dmp

          Filesize

          14.9MB

        • memory/2236-11830-0x0000000003970000-0x0000000004853000-memory.dmp

          Filesize

          14.9MB