Analysis Overview
SHA256
32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482
Threat Level: Known bad
The file shipping documents_pdf.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-25 12:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-25 12:33
Reported
2024-03-25 12:36
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2000 set thread context of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\svbenes.lnk | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\svbenes.lnk | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2000 wrote to memory of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 2000 wrote to memory of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 2000 wrote to memory of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 2000 wrote to memory of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 2000 wrote to memory of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Program Files (x86)\svbenes.lnk
| MD5 | f05a6132a0e24d6c09afb5b4466bdec7 |
| SHA1 | 40f265dba22f5d39f89a69619c6878cbedfcb560 |
| SHA256 | 58ba460501e5000951d6bf5afd8a2da442599848dd74caeab96292d98775d662 |
| SHA512 | 361581cdbb00afffaab25a7983b4ef8e39d5d8616786a83315922bd58652b5765cd3aa1d201ca894f9e6ac5ba0bb54f953a0aadea41aee440fc8ce6457246389 |
C:\Users\Admin\AppData\Local\Temp\nsz5E3F.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
memory/2000-11784-0x0000000004BD0000-0x0000000005AB3000-memory.dmp
memory/2000-11785-0x00000000773C1000-0x00000000774E1000-memory.dmp
memory/2000-11786-0x0000000010000000-0x0000000010006000-memory.dmp
memory/592-11787-0x0000000000400000-0x0000000001654000-memory.dmp
memory/592-11788-0x0000000001660000-0x0000000002543000-memory.dmp
memory/592-11789-0x0000000077448000-0x0000000077449000-memory.dmp
memory/592-11790-0x0000000077465000-0x0000000077466000-memory.dmp
memory/2000-11803-0x0000000004BD0000-0x0000000005AB3000-memory.dmp
memory/592-11804-0x0000000000400000-0x0000000001654000-memory.dmp
memory/592-11805-0x0000000001660000-0x0000000002543000-memory.dmp
memory/592-11807-0x00000000773C1000-0x00000000774E1000-memory.dmp
memory/2000-11812-0x0000000004BD0000-0x0000000005AB3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-25 12:33
Reported
2024-03-25 12:36
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-25 12:33
Reported
2024-03-25 12:36
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3424 wrote to memory of 4468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3424 wrote to memory of 4468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3424 wrote to memory of 4468 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4468 -ip 4468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 96.17.178.184:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-25 12:33
Reported
2024-03-25 12:36
Platform
win7-20240215-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1772 set thread context of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\svbenes.lnk | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\svbenes.lnk | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1772 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 1772 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 1772 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 1772 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 1772 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
| PID 1772 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe | C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
Files
C:\Program Files (x86)\svbenes.lnk
| MD5 | 7c55b0b2ee607af3fa8b4cb51ab328c7 |
| SHA1 | eb1fffe2ca44e01a91218d0bdf874df226f9fe3a |
| SHA256 | 753333752c7ccf892ce7362346ee452bb1021e57d1975b19e6a62ad7bf82b642 |
| SHA512 | 141d591acbebd02f813063b4e2597a0cd9cc927da03bb1eba0d6efe9173057a5e4d6f28460ec5c4a26faffc9476aaeb83c6fe2bb1250523325f58c8c85f3db4e |
\Users\Admin\AppData\Local\Temp\nso127A.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
memory/1772-11785-0x00000000041C0000-0x00000000050A3000-memory.dmp
memory/1772-11786-0x0000000077890000-0x0000000077A39000-memory.dmp
memory/1772-11787-0x0000000077A80000-0x0000000077B56000-memory.dmp
memory/1772-11788-0x0000000010000000-0x0000000010006000-memory.dmp
memory/568-11789-0x0000000000400000-0x0000000001462000-memory.dmp
memory/568-11790-0x0000000001470000-0x0000000002353000-memory.dmp
memory/568-11791-0x0000000077890000-0x0000000077A39000-memory.dmp
memory/568-11792-0x0000000077AB6000-0x0000000077AB7000-memory.dmp
memory/1772-11811-0x00000000041C0000-0x00000000050A3000-memory.dmp
memory/568-11812-0x0000000000400000-0x0000000001462000-memory.dmp
memory/568-11820-0x0000000001470000-0x0000000002353000-memory.dmp
memory/568-11821-0x0000000077A80000-0x0000000077B56000-memory.dmp
memory/1772-11830-0x00000000041C0000-0x00000000050A3000-memory.dmp