Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
15-04-2024 09:36
General
-
Target
PO# ROSIT MR2309040.exe
-
Size
761KB
-
MD5
9cca6c27ab4c2d57ffb57973de78658c
-
SHA1
961a879187aa8d7665cb00bbbfddcf67bce4172c
-
SHA256
051cb37b130a5af6e0fdcedbcbf67901e45baf9a99cf81e106b0e72e4ef2f6b9
-
SHA512
afca46b53e037e1872f4810c45ac0561bcef96b7dffc34bfd697082228934f66a5ea949b578a28f9d1e1b6ee4698e639dc2f4ed4769eec2aa9ad55382ba91461
-
SSDEEP
12288:Zgf3/HvEqA4wXuyo86ii63KnVdZsfZhgZ7q+V9qKWLZrEGg29fiuhx:83/PE0weyorI6nzOfZq7S+o9v
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO# ROSIT MR2309040.exe"C:\Users\Admin\AppData\Local\Temp\PO# ROSIT MR2309040.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO# ROSIT MR2309040.exe"C:\Users\Admin\AppData\Local\Temp\PO# ROSIT MR2309040.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1010B
MD59dd9da3d2db1cb56a760e7d3a4f9941e
SHA14941f4b2c5bb69ec07c94d6a7c6f8c4f9c0074cb
SHA25645d66628094e96bf1f0e3e2c89b191745f30f38948d0f91bd250b133df216167
SHA512118677286bdabaeb4d77d031c82b2f5c668bf39ead3d9981f664d62d84eb454b159716ba720877c46b200bd8c07e579853a1c6036dc8b5c3f8f2ad3cd414f4dd
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a
-
Filesize
34.3MB
-
Filesize
34.3MB
-
Filesize
24KB
-
Filesize
1.1MB
-
Filesize
34.3MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
14.5MB
-
Filesize
14.5MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
3.3MB
-
Filesize
256KB
-
Filesize
628KB
-
Filesize
256KB
-
Filesize
34.3MB
-
Filesize
18.3MB
-
Filesize
120KB
-
Filesize
1.1MB
-
Filesize
18.3MB
-
Filesize
3.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
34.3MB
-
Filesize
18.3MB
-
Filesize
932KB