Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 12:33

General

  • Target

    shipping documents_pdf.exe

  • Size

    372KB

  • MD5

    bd62f17940dfd751c9819c454cc69bc5

  • SHA1

    fb98c9cad78cc269181e3eee7f14b89f74e04b09

  • SHA256

    32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482

  • SHA512

    bff52c0a232b12a9369264b824583493448f0ee70381271dcd9f0214fefd48a0b9527c7bf7ecb75b651f8b9a942924037eb22340da768531c876823b9027a617

  • SSDEEP

    6144:0GYgXWlQwTiuj8KHwL0+OulsWJyaAt/wVcmBkTv6+CuxUHAKsvJT8wGl8KRLTm9O:tDGvj8KHwLbHdE/wRBSzCuxBKiZGl8LO

Score
10/10

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:592

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\svbenes.lnk

          Filesize

          872B

          MD5

          f05a6132a0e24d6c09afb5b4466bdec7

          SHA1

          40f265dba22f5d39f89a69619c6878cbedfcb560

          SHA256

          58ba460501e5000951d6bf5afd8a2da442599848dd74caeab96292d98775d662

          SHA512

          361581cdbb00afffaab25a7983b4ef8e39d5d8616786a83315922bd58652b5765cd3aa1d201ca894f9e6ac5ba0bb54f953a0aadea41aee440fc8ce6457246389

        • C:\Users\Admin\AppData\Local\Temp\nsz5E3F.tmp\System.dll

          Filesize

          11KB

          MD5

          ee260c45e97b62a5e42f17460d406068

          SHA1

          df35f6300a03c4d3d3bd69752574426296b78695

          SHA256

          e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

          SHA512

          a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

        • memory/592-11804-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/592-11807-0x00000000773C1000-0x00000000774E1000-memory.dmp

          Filesize

          1.1MB

        • memory/592-11805-0x0000000001660000-0x0000000002543000-memory.dmp

          Filesize

          14.9MB

        • memory/592-11787-0x0000000000400000-0x0000000001654000-memory.dmp

          Filesize

          18.3MB

        • memory/592-11788-0x0000000001660000-0x0000000002543000-memory.dmp

          Filesize

          14.9MB

        • memory/592-11789-0x0000000077448000-0x0000000077449000-memory.dmp

          Filesize

          4KB

        • memory/592-11790-0x0000000077465000-0x0000000077466000-memory.dmp

          Filesize

          4KB

        • memory/2000-11785-0x00000000773C1000-0x00000000774E1000-memory.dmp

          Filesize

          1.1MB

        • memory/2000-11803-0x0000000004BD0000-0x0000000005AB3000-memory.dmp

          Filesize

          14.9MB

        • memory/2000-11786-0x0000000010000000-0x0000000010006000-memory.dmp

          Filesize

          24KB

        • memory/2000-11784-0x0000000004BD0000-0x0000000005AB3000-memory.dmp

          Filesize

          14.9MB

        • memory/2000-11812-0x0000000004BD0000-0x0000000005AB3000-memory.dmp

          Filesize

          14.9MB