Analysis
-
max time kernel
18s -
max time network
24s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 16:19
Static task
static1
Behavioral task
behavioral1
Sample
ORDER88273747829304.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
ORDER88273747829304.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
ORDER88273747829304.exe
-
Size
641KB
-
MD5
530e8e04a85a0d33d960e21318b80478
-
SHA1
c44ccc95de3b32b60c4c2ae6684cd97b253bc88e
-
SHA256
f240a81fec7de0227d57e18da194b50d8cada15613719b3bda6236c401e0e8ea
-
SHA512
a8805190ffcf67e5f8b6c0b7e421d6d7aa107c979d040a47fe0814dba706412a93afed88044a8e2619d19e78dc5e762087c8e626d233dced829d8d28439b79f4
-
SSDEEP
12288:ewWNc8eZ5YG4rtXzlrkipUe3mQakoeN4eN/FH6+C8XKDem+Gk5lIeF3jYFTKE2:eBM74BJkipUQmsN4eN/FH6+CLDeT5bt/
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
pid Process 5076 ORDER88273747829304.exe 5076 ORDER88273747829304.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2724 ORDER88273747829304.exe 2724 ORDER88273747829304.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 5076 ORDER88273747829304.exe 2724 ORDER88273747829304.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5076 set thread context of 2724 5076 ORDER88273747829304.exe 95 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\stumpnsedes\uforbeholdenheds.lnk ORDER88273747829304.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\resources\murkier.lnk ORDER88273747829304.exe File opened for modification C:\Windows\resources\murkier.lnk ORDER88273747829304.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5076 ORDER88273747829304.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5076 wrote to memory of 2724 5076 ORDER88273747829304.exe 95 PID 5076 wrote to memory of 2724 5076 ORDER88273747829304.exe 95 PID 5076 wrote to memory of 2724 5076 ORDER88273747829304.exe 95 PID 5076 wrote to memory of 2724 5076 ORDER88273747829304.exe 95 PID 5076 wrote to memory of 2724 5076 ORDER88273747829304.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"C:\Users\Admin\AppData\Local\Temp\ORDER88273747829304.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD583ba0e43146bd6b154cd4db8918268ec
SHA11802fb439cc0bf9cebbd0f7a88d807cb5c0f69af
SHA25689d303c05766b6af6d4fe6ed4168110bd8071f770d2df24545b30e237e78f79f
SHA51231a2c1c89e5268d47868423c5af5f91099ad9b0b79acdb1a58059aad5f8490b252f6d03cb8aae26ea51bf4fc2c02a56f64663224669a828a7f858eb6c2dde36f
-
Filesize
29B
MD5d856983df5f78b6918c4e0680279fea2
SHA103e1d3160bae500d7a6facae108c0ed1d9003c4b
SHA25623a07e8c9efa38a34f21a116314ab925aa4a04fb287a39cbf965b9f478bdd676
SHA512c52fda0cb3324ce3b111092780528a8210bd3d46baece0dbbfc4feee43b36c3f975e4d9d3e50833938cc32a3ae5dcbbc74bbfa1ce4e69f88073c6382a8d15b2e
-
Filesize
29B
MD582b08967613d161614588d050a924bb1
SHA1b9a29a8475ffc2ebeb4cb8cef70ef1c70b7dd0a3
SHA256a7ecdfddad858b4815a3b0871d42621b3d57ba0f1e78c3013a7621ac7e7cfe15
SHA512d57a0c00638531e86c478b0656608753fac9063a833096e3c684fc4a1ff26f7c2af8348052c550beca6a08a4ef88fc37fa1e9c08fc8a6b96529699c333b3f8dc
-
Filesize
29B
MD5019803e333ae98d5541e83869a5ac694
SHA15d8b0ec6e8218569358a55af9359718039283588
SHA256e09cc06c305ca1d6bdc9c9929a5403040ca9115ff27a6f385bf1fce9eef5b773
SHA5127f6039d023b6bc43d7df7c87fb4500d9d5004aae4f137f1fb47ced2c52400fbd2b12c7643acd5baefcc339e88f3a3d972e8e160ac7ed04c180d5cd5cc7dec403
-
Filesize
11KB
MD555a26d7800446f1373056064c64c3ce8
SHA180256857e9a0a9c8897923b717f3435295a76002
SHA256904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA51204b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
-
Filesize
1KB
MD5b531981807e55ed48524b3906888f99d
SHA18fc249d18c06e8e26694aec32c71a21f6d6c39e6
SHA256d4100f6d7c653d9b505bd64d2993459d8b426e01f40823c4918783e139c8e59f
SHA512224d3d90639671031de911671a1b5c7355c53600213ebe5a2c29161a71c47a66ebbcc5cc025ccc1285094ca21da8bd5d01aea226dea47d4c4e6f5ad59da9ec47
-
Filesize
1KB
MD5e34f5967eab465812e8ad8392bc6e3a6
SHA112fa38d4f8ad03c108126d1bc187eef15c934e03
SHA256ebf22fe3cc076cc8e0e4db7522a1fadc160da71d4980bfd9dbf53c44231551c5
SHA512da60693387352bf8c9baec0cc4e46346b0af6705a9ca5182e5b9816c38ee4b45d4782369a5cbe578585fcf2638d48109e559dfaba5e25e90691c5a6e33497284