Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 16:19
Static task
static1
Behavioral task
behavioral1
Sample
ORDER88273747829304.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
ORDER88273747829304.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
ORDER88273747829304.exe
-
Size
641KB
-
MD5
530e8e04a85a0d33d960e21318b80478
-
SHA1
c44ccc95de3b32b60c4c2ae6684cd97b253bc88e
-
SHA256
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
-
SHA512
a8805190ffcf67e5f8b6c0b7e421d6d7aa107c979d040a47fe0814dba706412a93afed88044a8e2619d19e78dc5e762087c8e626d233dced829d8d28439b79f4
-
SSDEEP
12288:ewWNc8eZ5YG4rtXzlrkipUe3mQakoeN4eN/FH6+C8XKDem+Gk5lIeF3jYFTKE2:eBM74BJkipUQmsN4eN/FH6+CLDeT5bt/
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
pid Process 2060 ORDER88273747829304.exe 2060 ORDER88273747829304.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 1328 ORDER88273747829304.exe 1328 ORDER88273747829304.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2060 ORDER88273747829304.exe 1328 ORDER88273747829304.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2060 set thread context of 1328 2060 ORDER88273747829304.exe 28 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\stumpnsedes\uforbeholdenheds.lnk ORDER88273747829304.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\resources\murkier.lnk ORDER88273747829304.exe File opened for modification C:\Windows\resources\murkier.lnk ORDER88273747829304.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2060 ORDER88273747829304.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2060 wrote to memory of 1328 2060 ORDER88273747829304.exe 28 PID 2060 wrote to memory of 1328 2060 ORDER88273747829304.exe 28 PID 2060 wrote to memory of 1328 2060 ORDER88273747829304.exe 28 PID 2060 wrote to memory of 1328 2060 ORDER88273747829304.exe 28 PID 2060 wrote to memory of 1328 2060 ORDER88273747829304.exe 28 PID 2060 wrote to memory of 1328 2060 ORDER88273747829304.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1328
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD5fb7e9f0a2cfd292c2a31edc1b25b3c4e
SHA1fab73738d595e2428ea4da5cdeaab8e5e1ac7764
SHA2566305d408267ea7ac8ef8ea596c082fe8259c86ea842702bfeeeecfe05cd9e062
SHA512d87a24e83ed916027a2fb75d9d35ba00be0005e85532c3db387784bc9a42d4f02aac7225c2799fff37559664ecc62f0e05c76744c8eb313a3377670bfc02e9b1
-
Filesize
29B
MD5d856983df5f78b6918c4e0680279fea2
SHA103e1d3160bae500d7a6facae108c0ed1d9003c4b
SHA25623a07e8c9efa38a34f21a116314ab925aa4a04fb287a39cbf965b9f478bdd676
SHA512c52fda0cb3324ce3b111092780528a8210bd3d46baece0dbbfc4feee43b36c3f975e4d9d3e50833938cc32a3ae5dcbbc74bbfa1ce4e69f88073c6382a8d15b2e
-
Filesize
29B
MD582b08967613d161614588d050a924bb1
SHA1b9a29a8475ffc2ebeb4cb8cef70ef1c70b7dd0a3
SHA256a7ecdfddad858b4815a3b0871d42621b3d57ba0f1e78c3013a7621ac7e7cfe15
SHA512d57a0c00638531e86c478b0656608753fac9063a833096e3c684fc4a1ff26f7c2af8348052c550beca6a08a4ef88fc37fa1e9c08fc8a6b96529699c333b3f8dc
-
Filesize
29B
MD5019803e333ae98d5541e83869a5ac694
SHA15d8b0ec6e8218569358a55af9359718039283588
SHA256e09cc06c305ca1d6bdc9c9929a5403040ca9115ff27a6f385bf1fce9eef5b773
SHA5127f6039d023b6bc43d7df7c87fb4500d9d5004aae4f137f1fb47ced2c52400fbd2b12c7643acd5baefcc339e88f3a3d972e8e160ac7ed04c180d5cd5cc7dec403
-
Filesize
1KB
MD51e05ec7edd7b8b85501b919539d5f4a4
SHA1fb97cdff2ab05ac13f79862829f0f235a1cf29ee
SHA256a2ffbfe69d96474faa760f3d0cf2038ee6d64e5f1170309d9be2d37328341db1
SHA512088279ae0672169692cd3bae2d6a80a9aa3d00f3f0acdb1a39adbfc433c815280d720ea660c83c161bdfbe49b54bd242b0f1e2ece06d9739f33e431891f601fe
-
Filesize
1KB
MD52c317b138dc769e9c54c8f299705d425
SHA1ce81bb74ebdfd77217fb7d727c75ed42ba767ceb
SHA2562f64b84f9b6f4ac227c4049564eb056f6e74faef242ed1e04d0075ef7478bf8c
SHA51221dced78ceaa7b64f985dca09fb0c289272a6b5335516c9cb38392ffb7aba3ad0f0cb50a55c5e2b5592923e7fde38fdd4d176b896a35d86ba3aa128640d512ae
-
Filesize
11KB
MD555a26d7800446f1373056064c64c3ce8
SHA180256857e9a0a9c8897923b717f3435295a76002
SHA256904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA51204b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b