Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
ORDER88273747829304.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ORDER88273747829304.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
ORDER88273747829304.exe
-
Size
641KB
-
MD5
530e8e04a85a0d33d960e21318b80478
-
SHA1
c44ccc95de3b32b60c4c2ae6684cd97b253bc88e
-
SHA256
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
-
SHA512
a8805190ffcf67e5f8b6c0b7e421d6d7aa107c979d040a47fe0814dba706412a93afed88044a8e2619d19e78dc5e762087c8e626d233dced829d8d28439b79f4
-
SSDEEP
12288:ewWNc8eZ5YG4rtXzlrkipUe3mQakoeN4eN/FH6+C8XKDem+Gk5lIeF3jYFTKE2:eBM74BJkipUQmsN4eN/FH6+CLDeT5bt/
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
pid Process 1196 ORDER88273747829304.exe 1196 ORDER88273747829304.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 1244 ORDER88273747829304.exe 1244 ORDER88273747829304.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1196 ORDER88273747829304.exe 1244 ORDER88273747829304.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1196 set thread context of 1244 1196 ORDER88273747829304.exe 28 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\stumpnsedes\uforbeholdenheds.lnk ORDER88273747829304.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\resources\murkier.lnk ORDER88273747829304.exe File opened for modification C:\Windows\resources\murkier.lnk ORDER88273747829304.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1568 1244 WerFault.exe 28 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1196 ORDER88273747829304.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1196 wrote to memory of 1244 1196 ORDER88273747829304.exe 28 PID 1196 wrote to memory of 1244 1196 ORDER88273747829304.exe 28 PID 1196 wrote to memory of 1244 1196 ORDER88273747829304.exe 28 PID 1196 wrote to memory of 1244 1196 ORDER88273747829304.exe 28 PID 1196 wrote to memory of 1244 1196 ORDER88273747829304.exe 28 PID 1196 wrote to memory of 1244 1196 ORDER88273747829304.exe 28 PID 1244 wrote to memory of 1568 1244 ORDER88273747829304.exe 33 PID 1244 wrote to memory of 1568 1244 ORDER88273747829304.exe 33 PID 1244 wrote to memory of 1568 1244 ORDER88273747829304.exe 33 PID 1244 wrote to memory of 1568 1244 ORDER88273747829304.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 4643⤵
- Program crash
PID:1568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD5fb7e9f0a2cfd292c2a31edc1b25b3c4e
SHA1fab73738d595e2428ea4da5cdeaab8e5e1ac7764
SHA2566305d408267ea7ac8ef8ea596c082fe8259c86ea842702bfeeeecfe05cd9e062
SHA512d87a24e83ed916027a2fb75d9d35ba00be0005e85532c3db387784bc9a42d4f02aac7225c2799fff37559664ecc62f0e05c76744c8eb313a3377670bfc02e9b1
-
Filesize
29B
MD5d856983df5f78b6918c4e0680279fea2
SHA103e1d3160bae500d7a6facae108c0ed1d9003c4b
SHA25623a07e8c9efa38a34f21a116314ab925aa4a04fb287a39cbf965b9f478bdd676
SHA512c52fda0cb3324ce3b111092780528a8210bd3d46baece0dbbfc4feee43b36c3f975e4d9d3e50833938cc32a3ae5dcbbc74bbfa1ce4e69f88073c6382a8d15b2e
-
Filesize
29B
MD582b08967613d161614588d050a924bb1
SHA1b9a29a8475ffc2ebeb4cb8cef70ef1c70b7dd0a3
SHA256a7ecdfddad858b4815a3b0871d42621b3d57ba0f1e78c3013a7621ac7e7cfe15
SHA512d57a0c00638531e86c478b0656608753fac9063a833096e3c684fc4a1ff26f7c2af8348052c550beca6a08a4ef88fc37fa1e9c08fc8a6b96529699c333b3f8dc
-
Filesize
29B
MD5019803e333ae98d5541e83869a5ac694
SHA15d8b0ec6e8218569358a55af9359718039283588
SHA256e09cc06c305ca1d6bdc9c9929a5403040ca9115ff27a6f385bf1fce9eef5b773
SHA5127f6039d023b6bc43d7df7c87fb4500d9d5004aae4f137f1fb47ced2c52400fbd2b12c7643acd5baefcc339e88f3a3d972e8e160ac7ed04c180d5cd5cc7dec403
-
Filesize
1KB
MD51e05ec7edd7b8b85501b919539d5f4a4
SHA1fb97cdff2ab05ac13f79862829f0f235a1cf29ee
SHA256a2ffbfe69d96474faa760f3d0cf2038ee6d64e5f1170309d9be2d37328341db1
SHA512088279ae0672169692cd3bae2d6a80a9aa3d00f3f0acdb1a39adbfc433c815280d720ea660c83c161bdfbe49b54bd242b0f1e2ece06d9739f33e431891f601fe
-
Filesize
1KB
MD53ac938a720291341bd2d690f9da5c283
SHA14de2768a482583e563ca5e8f4bc4b39c9da400a7
SHA256fddf42cb02691ea1aca5c47ae383eb6613f470725f39117f7a5783ebe37778e1
SHA512c60729ba8eff929c9ac3f13f0ed3d013d2f124a33062afaf37af1eb13b8fbb7a9c3ec34803f76f61bb7e48398cefe5732164e15bed3afdbf43dcf9d2ba45468b
-
Filesize
11KB
MD555a26d7800446f1373056064c64c3ce8
SHA180256857e9a0a9c8897923b717f3435295a76002
SHA256904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA51204b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b