Overview

overview

10

Static

static

3

76dbfa281b...91.exe

windows7-x64

10

76dbfa281b...91.exe

windows10-2004-x64

4

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76dbfa281b158a18c83d08a907f087b7330da28bdd2298eb9ee2f23c1df40491.exe

  • Size

    776KB

  • MD5

    1c089552c29f12843d8cd8e2bbf5cf5b

  • SHA1

    6f3e611fc7d7d5938b99575bcd96366d6e213eab

  • SHA256

    76dbfa281b158a18c83d08a907f087b7330da28bdd2298eb9ee2f23c1df40491

  • SHA512

    3f6220ce4196ea9ec13ef699a8b8e51e8a7d5035511f8b252230bcc024e423610d5474587030f68dbfc5193bd02402975b6f71e9e352fd17453519748ab3a885

  • SSDEEP

    12288:K0Z4SNwhFaoncbHNsyBNzjdsO8aIaLJtBT7bbQ4:J4SO/wbtsQ9jdsFaxl3bbT

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76dbfa281b158a18c83d08a907f087b7330da28bdd2298eb9ee2f23c1df40491.exe
    "C:\Users\Admin\AppData\Local\Temp\76dbfa281b158a18c83d08a907f087b7330da28bdd2298eb9ee2f23c1df40491.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\Admin\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:2652
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:848

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Edderduns.Ama
      Filesize

      298KB

      MD5

      4433aa89bb2e3b2cd206c9f6ee4b88e2

      SHA1

      889695db99aa5cf9deb29d599560c84fdeb6a56f

      SHA256

      980b91ae25a9f486f7c303c942de6d6c25da5e5b681156ecb59ecd52b024fec7

      SHA512

      e81e20d296a5c53328dbd19902ab279601a2ba53d1ed9c004895b2bacf92fb5ec58fd0a644da6be814cbadde9c90f4e29528de79cb8926bc27c6ec54ebd33cf0

      Download Submit
    • C:\Users\Admin\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta
      Filesize

      82KB

      MD5

      c986903b6d507cf170e00cb73e2afe97

      SHA1

      4d54e166c2ec5e7844ae0c93c1e25dc3104ad9ef

      SHA256

      aae5ed65a22d59635bd7451a31c91c91c7d3d9265db88bb6de3faba46e1cca30

      SHA512

      9c0db6de2fae46d696eab9f036fd45e732cd7b8912b68448c83f0dcf0d32a4a804b965c225a849251b7200fe865f06873e894e3b1570e980fbbc73e39d21eca5

      Download Submit
    • memory/848-26-0x0000000001A80000-0x0000000004814000-memory.dmp
      Filesize

      45.6MB

      Download
    • memory/848-31-0x0000000000A10000-0x0000000001A72000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/848-30-0x0000000001A80000-0x0000000004814000-memory.dmp
      Filesize

      45.6MB

      Download
    • memory/848-28-0x0000000077D86000-0x0000000077D87000-memory.dmp
      Filesize

      4KB

      Download
    • memory/848-29-0x0000000077D50000-0x0000000077E26000-memory.dmp
      Filesize

      856KB

      Download
    • memory/848-27-0x0000000077B60000-0x0000000077D09000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2828-19-0x0000000006320000-0x00000000090B4000-memory.dmp
      Filesize

      45.6MB

      Download
    • memory/2828-25-0x0000000006320000-0x00000000090B4000-memory.dmp
      Filesize

      45.6MB

      Download
    • memory/2828-8-0x00000000743E0000-0x000000007498B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2828-20-0x0000000006320000-0x00000000090B4000-memory.dmp
      Filesize

      45.6MB

      Download
    • memory/2828-22-0x0000000005C90000-0x0000000005D90000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2828-23-0x0000000077B60000-0x0000000077D09000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2828-24-0x0000000077D50000-0x0000000077E26000-memory.dmp
      Filesize

      856KB

      Download
    • memory/2828-18-0x0000000002730000-0x0000000002770000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2828-17-0x00000000743E0000-0x000000007498B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2828-16-0x00000000050F0000-0x00000000050F4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2828-13-0x0000000002730000-0x0000000002770000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2828-14-0x0000000005C90000-0x0000000005D90000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2828-9-0x00000000743E0000-0x000000007498B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2828-10-0x0000000002730000-0x0000000002770000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2828-36-0x0000000006320000-0x00000000090B4000-memory.dmp
      Filesize

      45.6MB

      Download