Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 12:33

General

  • Target

    shipping documents_pdf.exe

  • Size

    372KB

  • MD5

    bd62f17940dfd751c9819c454cc69bc5

  • SHA1

    fb98c9cad78cc269181e3eee7f14b89f74e04b09

  • SHA256

    32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482

  • SHA512

    bff52c0a232b12a9369264b824583493448f0ee70381271dcd9f0214fefd48a0b9527c7bf7ecb75b651f8b9a942924037eb22340da768531c876823b9027a617

  • SSDEEP

    6144:0GYgXWlQwTiuj8KHwL0+OulsWJyaAt/wVcmBkTv6+CuxUHAKsvJT8wGl8KRLTm9O:tDGvj8KHwLbHdE/wRBSzCuxBKiZGl8LO

Score
10/10

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:568

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\svbenes.lnk

          Filesize

          860B

          MD5

          7c55b0b2ee607af3fa8b4cb51ab328c7

          SHA1

          eb1fffe2ca44e01a91218d0bdf874df226f9fe3a

          SHA256

          753333752c7ccf892ce7362346ee452bb1021e57d1975b19e6a62ad7bf82b642

          SHA512

          141d591acbebd02f813063b4e2597a0cd9cc927da03bb1eba0d6efe9173057a5e4d6f28460ec5c4a26faffc9476aaeb83c6fe2bb1250523325f58c8c85f3db4e

        • \Users\Admin\AppData\Local\Temp\nso127A.tmp\System.dll

          Filesize

          11KB

          MD5

          ee260c45e97b62a5e42f17460d406068

          SHA1

          df35f6300a03c4d3d3bd69752574426296b78695

          SHA256

          e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

          SHA512

          a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

        • memory/568-11792-0x0000000077AB6000-0x0000000077AB7000-memory.dmp

          Filesize

          4KB

        • memory/568-11789-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/568-11790-0x0000000001470000-0x0000000002353000-memory.dmp

          Filesize

          14.9MB

        • memory/568-11791-0x0000000077890000-0x0000000077A39000-memory.dmp

          Filesize

          1.7MB

        • memory/568-11812-0x0000000000400000-0x0000000001462000-memory.dmp

          Filesize

          16.4MB

        • memory/568-11820-0x0000000001470000-0x0000000002353000-memory.dmp

          Filesize

          14.9MB

        • memory/568-11821-0x0000000077A80000-0x0000000077B56000-memory.dmp

          Filesize

          856KB

        • memory/1772-11786-0x0000000077890000-0x0000000077A39000-memory.dmp

          Filesize

          1.7MB

        • memory/1772-11787-0x0000000077A80000-0x0000000077B56000-memory.dmp

          Filesize

          856KB

        • memory/1772-11788-0x0000000010000000-0x0000000010006000-memory.dmp

          Filesize

          24KB

        • memory/1772-11785-0x00000000041C0000-0x00000000050A3000-memory.dmp

          Filesize

          14.9MB

        • memory/1772-11811-0x00000000041C0000-0x00000000050A3000-memory.dmp

          Filesize

          14.9MB

        • memory/1772-11830-0x00000000041C0000-0x00000000050A3000-memory.dmp

          Filesize

          14.9MB