Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
ORDER88273747829304.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ORDER88273747829304.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
ORDER88273747829304.exe
-
Size
641KB
-
MD5
530e8e04a85a0d33d960e21318b80478
-
SHA1
c44ccc95de3b32b60c4c2ae6684cd97b253bc88e
-
SHA256
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
-
SHA512
a8805190ffcf67e5f8b6c0b7e421d6d7aa107c979d040a47fe0814dba706412a93afed88044a8e2619d19e78dc5e762087c8e626d233dced829d8d28439b79f4
-
SSDEEP
12288:ewWNc8eZ5YG4rtXzlrkipUe3mQakoeN4eN/FH6+C8XKDem+Gk5lIeF3jYFTKE2:eBM74BJkipUQmsN4eN/FH6+CLDeT5bt/
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
pid Process 1348 ORDER88273747829304.exe 1348 ORDER88273747829304.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 1860 ORDER88273747829304.exe 1860 ORDER88273747829304.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1348 ORDER88273747829304.exe 1860 ORDER88273747829304.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1348 set thread context of 1860 1348 ORDER88273747829304.exe 104 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\stumpnsedes\uforbeholdenheds.lnk ORDER88273747829304.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\resources\murkier.lnk ORDER88273747829304.exe File opened for modification C:\Windows\resources\murkier.lnk ORDER88273747829304.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1348 ORDER88273747829304.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1860 1348 ORDER88273747829304.exe 104 PID 1348 wrote to memory of 1860 1348 ORDER88273747829304.exe 104 PID 1348 wrote to memory of 1860 1348 ORDER88273747829304.exe 104 PID 1348 wrote to memory of 1860 1348 ORDER88273747829304.exe 104 PID 1348 wrote to memory of 1860 1348 ORDER88273747829304.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:3676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD5fb7e9f0a2cfd292c2a31edc1b25b3c4e
SHA1fab73738d595e2428ea4da5cdeaab8e5e1ac7764
SHA2566305d408267ea7ac8ef8ea596c082fe8259c86ea842702bfeeeecfe05cd9e062
SHA512d87a24e83ed916027a2fb75d9d35ba00be0005e85532c3db387784bc9a42d4f02aac7225c2799fff37559664ecc62f0e05c76744c8eb313a3377670bfc02e9b1
-
Filesize
29B
MD5d856983df5f78b6918c4e0680279fea2
SHA103e1d3160bae500d7a6facae108c0ed1d9003c4b
SHA25623a07e8c9efa38a34f21a116314ab925aa4a04fb287a39cbf965b9f478bdd676
SHA512c52fda0cb3324ce3b111092780528a8210bd3d46baece0dbbfc4feee43b36c3f975e4d9d3e50833938cc32a3ae5dcbbc74bbfa1ce4e69f88073c6382a8d15b2e
-
Filesize
29B
MD582b08967613d161614588d050a924bb1
SHA1b9a29a8475ffc2ebeb4cb8cef70ef1c70b7dd0a3
SHA256a7ecdfddad858b4815a3b0871d42621b3d57ba0f1e78c3013a7621ac7e7cfe15
SHA512d57a0c00638531e86c478b0656608753fac9063a833096e3c684fc4a1ff26f7c2af8348052c550beca6a08a4ef88fc37fa1e9c08fc8a6b96529699c333b3f8dc
-
Filesize
29B
MD5019803e333ae98d5541e83869a5ac694
SHA15d8b0ec6e8218569358a55af9359718039283588
SHA256e09cc06c305ca1d6bdc9c9929a5403040ca9115ff27a6f385bf1fce9eef5b773
SHA5127f6039d023b6bc43d7df7c87fb4500d9d5004aae4f137f1fb47ced2c52400fbd2b12c7643acd5baefcc339e88f3a3d972e8e160ac7ed04c180d5cd5cc7dec403
-
Filesize
11KB
MD555a26d7800446f1373056064c64c3ce8
SHA180256857e9a0a9c8897923b717f3435295a76002
SHA256904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA51204b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
-
Filesize
1KB
MD5b531981807e55ed48524b3906888f99d
SHA18fc249d18c06e8e26694aec32c71a21f6d6c39e6
SHA256d4100f6d7c653d9b505bd64d2993459d8b426e01f40823c4918783e139c8e59f
SHA512224d3d90639671031de911671a1b5c7355c53600213ebe5a2c29161a71c47a66ebbcc5cc025ccc1285094ca21da8bd5d01aea226dea47d4c4e6f5ad59da9ec47
-
Filesize
1KB
MD5fd3740d48bd06612a568ad694c0f2de0
SHA11a5ee3f6bd532c4e6365056ef467cc9ed68849f9
SHA2569548d896c43b9e7f3ebbf69d18d6f8cca86bb610a597fa200a83c42c685faae3
SHA51296a1a2b5480aacf9c30e16117621ff79422881cfb73183534e49398bfe61d2ba38feec02a1880a877afec75f819a9c2b519280723fcfc8cf9f2adeb3386df259