Overview

overview

10

Static

static

3

UMOWA DEV8...df.exe

windows7-x64

10

UMOWA DEV8...df.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Repurchase...91.deb

windows7-x64

3

Repurchase...91.deb

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 10:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    UMOWA DEV8759 - pdf.exe

  • Size

    545KB

  • MD5

    2f6fbd4dd3ffb23e86b8fe0c092d4d59

  • SHA1

    a093d228d0aa8769419ef25153d1310e826aec79

  • SHA256

    baa364ff2127d6dc7cd49fddc9fe7a3e1c4b93173d8f7531d172a38285115ea9

  • SHA512

    78cbb98cd4ade680b0bee831db01a4babf4c9b17c5252362cdb380291cd10deaf01a81657c9986802b07a246617b080ff4680d45d16e2a43d25fbe86a0fb2762

  • SSDEEP

    12288:29HJyccI40lhH3k07aii3riCeYUG+PcuU:29HJZcI4gJGQAdx

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UMOWA DEV8759 - pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\UMOWA DEV8759 - pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Local\Temp\UMOWA DEV8759 - pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\UMOWA DEV8759 - pdf.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5096

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsf2D1D.tmp\Banner.dll
          Filesize

          4KB

          MD5

          aea3ac67fa68fd3f00edfbf9b43a2770

          SHA1

          aa59d1a4311c42b612ee66a027f224261beebbc3

          SHA256

          f4530c734e3ce6253ffa6e5d755d61e4709ab9fc3b0eee3d4cdb89ec89c48bd2

          SHA512

          ffb6abc624d50ae8bc9c83ff518cb532dfd076f107077dceaf0e23d11c186a18671a5f538270be8b0b986e41ad1981a3606995046a6ee7b6b64a33c83ed72df9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsf2D1D.tmp\System.dll
          Filesize

          11KB

          MD5

          960a5c48e25cf2bca332e74e11d825c9

          SHA1

          da35c6816ace5daf4c6c1d57b93b09a82ecdc876

          SHA256

          484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

          SHA512

          cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsf2D1D.tmp\nsDialogs.dll
          Filesize

          9KB

          MD5

          8ced0b79f7b9033d0795aab3be6d627c

          SHA1

          90c2043ffccd068f407c624c50ac7b795db1e132

          SHA256

          495bddc0be6e18e981db82fab9d1de55c7e269ab4ec3ff43035193bc017a307b

          SHA512

          e38f63a342729f5ff6d0db607d7877b65c33ed19e2b5a97dd868ece8c2a3e829d4153624943444be2f0de885496161d54c1da9594bdc0a5a0bcc8b727e2facb0

          Download Submit

        • C:\Windows\Fonts\matteret.lnk
          Filesize

          1KB

          MD5

          28e7015e7851ef927a3aae513847fea3

          SHA1

          a2c48069a441644408b9cc44609883b1af28cd0e

          SHA256

          a1e13e4fc7ca5dfbc1c8fc7ed6f9827806ce7ae99f38b24b93b67572e59f0911

          SHA512

          3a27ca274a8c953838c53395a8b763e0f011054639436aee0ae2db22797f791f924c973006fd1c017ad2c8e1a9c763df80d1aaa5d925bac68ca73f4d4ab72d0d

          Download Submit

        • memory/4788-339-0x0000000010000000-0x0000000010006000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4788-338-0x0000000077761000-0x0000000077881000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4788-337-0x00000000049E0000-0x00000000064F7000-memory.dmp

          Filesize

          27.1MB

          Download

        • memory/4788-341-0x00000000049E0000-0x00000000064F7000-memory.dmp

          Filesize

          27.1MB

          Download

        • memory/4788-352-0x00000000049E0000-0x00000000064F7000-memory.dmp

          Filesize

          27.1MB

          Download

        • memory/5096-340-0x00000000016D0000-0x00000000031E7000-memory.dmp

          Filesize

          27.1MB

          Download

        • memory/5096-342-0x00000000777E8000-0x00000000777E9000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5096-343-0x0000000077805000-0x0000000077806000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5096-344-0x0000000000470000-0x00000000016C4000-memory.dmp

          Filesize

          18.3MB

          Download

        • memory/5096-345-0x00000000016D0000-0x00000000031E7000-memory.dmp

          Filesize

          27.1MB

          Download

        • memory/5096-347-0x0000000077761000-0x0000000077881000-memory.dmp

          Filesize

          1.1MB

          Download