Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 13:49

General

  • Target

    3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe

  • Size

    469KB

  • MD5

    46bbacb63c2f6c440be347e99210c3a3

  • SHA1

    8b3f6920bf657fd1973069540ec5990b2033e69a

  • SHA256

    3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e

  • SHA512

    f51dafe7612d294a70872064d9c8b1352598def99242134e4dd5aa03ef62614d3222d5b430a8bb26fa63b7e177ec7229467bae58b1e86a0775a052dcab38f7d8

  • SSDEEP

    6144:olJZfHKsHfGCZ71Cn3R1E1+hf6VkTJluAMHQaMWDLdzsaX4O6zTbw6hE4F0FDgCJ:oluqauAMeWm5OKU6O4eFFpd6MvV/lzD

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe
    "C:\Users\Admin\AppData\Local\Temp\3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe
      "C:\Users\Admin\AppData\Local\Temp\3b0b1b064f6b84d3b68b541f073ddca759e01adbbb9c36e7b38e6707b941539e.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nso9D1C.tmp\System.dll

    Filesize

    11KB

    MD5

    fc90dfb694d0e17b013d6f818bce41b0

    SHA1

    3243969886d640af3bfa442728b9f0dff9d5f5b0

    SHA256

    7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528

    SHA512

    324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

  • memory/572-65-0x0000000077020000-0x00000000770F6000-memory.dmp

    Filesize

    856KB

  • memory/572-62-0x00000000014F0000-0x0000000002700000-memory.dmp

    Filesize

    18.1MB

  • memory/572-63-0x0000000076E30000-0x0000000076FD9000-memory.dmp

    Filesize

    1.7MB

  • memory/572-64-0x0000000077056000-0x0000000077057000-memory.dmp

    Filesize

    4KB

  • memory/572-67-0x0000000000480000-0x00000000014E2000-memory.dmp

    Filesize

    16.4MB

  • memory/572-68-0x00000000014F0000-0x0000000002700000-memory.dmp

    Filesize

    18.1MB

  • memory/1716-58-0x0000000076E30000-0x0000000076FD9000-memory.dmp

    Filesize

    1.7MB

  • memory/1716-59-0x0000000077020000-0x00000000770F6000-memory.dmp

    Filesize

    856KB

  • memory/1716-60-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

  • memory/1716-61-0x0000000003850000-0x0000000004A60000-memory.dmp

    Filesize

    18.1MB

  • memory/1716-57-0x0000000003850000-0x0000000004A60000-memory.dmp

    Filesize

    18.1MB

  • memory/1716-74-0x0000000003850000-0x0000000004A60000-memory.dmp

    Filesize

    18.1MB