Overview

overview

10

Static

static

1

Ordine_doc...04.wsf

windows7-x64

10

Ordine_doc...04.wsf

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ordine_doc_419024001904.wsf

  • Size

    177KB

  • Sample

    240424-prryzshh83

  • MD5

    734c9d6b82b44237e5befe07faa4149b

  • SHA1

    b6a244eeb8ed209f2222b112cf2925f7eac7d1db

  • SHA256

    4949351915c2627905d17fe54bb56341f0af23331257e235b79eaa876fcad8cf

  • SHA512

    2ed78410af0a2c43252946545ed5f0e5132d03335c5321b9b08a7179b28c0f07690ff5b9d3bdadd94b2c5940a668c24c5e6677893403a3f2d604b0a2ecf11ce5

  • SSDEEP

    3072:IRj8jqnKK8ccABOwbDS2y2zJETxUuoHh36EH/OG6C27wv3cHsqRBBto5mFSarj:4nR8ccABOwbDA2zJETxVu1tH/Ks0jBBn

Score
10/10
guloaderdownloaderpersistence

Malware Config

Targets

    • Target

      Ordine_doc_419024001904.wsf

    • Size

      177KB

    • MD5

      734c9d6b82b44237e5befe07faa4149b

    • SHA1

      b6a244eeb8ed209f2222b112cf2925f7eac7d1db

    • SHA256

      4949351915c2627905d17fe54bb56341f0af23331257e235b79eaa876fcad8cf

    • SHA512

      2ed78410af0a2c43252946545ed5f0e5132d03335c5321b9b08a7179b28c0f07690ff5b9d3bdadd94b2c5940a668c24c5e6677893403a3f2d604b0a2ecf11ce5

    • SSDEEP

      3072:IRj8jqnKK8ccABOwbDS2y2zJETxUuoHh36EH/OG6C27wv3cHsqRBBto5mFSarj:4nR8ccABOwbDA2zJETxVu1tH/Ks0jBBn

    Score
    10/10
    guloaderdownloaderpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks