Overview

overview

10

Static

static

3

Stolprende.exe

windows7-x64

10

Stolprende.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stolprende.exe

  • Size

    685KB

  • MD5

    900a0eb54d29bc61da63381e7920e5e8

  • SHA1

    8159aeac02faa944e109d86abd3b020fa51e4907

  • SHA256

    b073ae4a0ecc5af2e1e13862e97aa242768fe6f3ce1a0eb5bce474be65a5a0a7

  • SHA512

    606f1231e11fdfabf849edd81d3f6cf43552b3b602c25009d51dbbef624aa37703aa41c9b6cab61effa00e37d8d4eac759934aeb38e9bfc9feec2d47cea988c0

  • SSDEEP

    12288:cDq0UuJqoEQg42Gu/UlGxncCX49maysm46FPwU0TvGvpvIY/:cOpuJqotcDNsWL9FP6ypvD

Score
10/10
guloaderdownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\Stolprende.exe
        "C:\Users\Admin\AppData\Local\Temp\Stolprende.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Users\Admin\AppData\Local\Temp\Stolprende.exe
          "C:\Users\Admin\AppData\Local\Temp\Stolprende.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2464
          • C:\Windows\SysWOW64\fontview.exe
            "C:\Windows\SysWOW64\fontview.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3004
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              5⤵
                PID:5220

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nst3682.tmp\System.dll
        Filesize

        11KB

        MD5

        9625d5b1754bc4ff29281d415d27a0fd

        SHA1

        80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

        SHA256

        c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

        SHA512

        dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

        Download Submit

      • memory/2464-139-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2464-142-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2464-134-0x0000000001660000-0x0000000002247000-memory.dmp

        Filesize

        11.9MB

        Download

      • memory/2464-135-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2464-112-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2464-133-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2464-115-0x0000000077A88000-0x0000000077A89000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2464-116-0x0000000077AA5000-0x0000000077AA6000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2464-129-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2464-130-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2464-144-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2464-132-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2464-145-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2464-137-0x0000000077A01000-0x0000000077B21000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2464-113-0x0000000001660000-0x0000000002247000-memory.dmp

        Filesize

        11.9MB

        Download

      • memory/2464-136-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/3004-143-0x0000000000940000-0x000000000097F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3004-146-0x0000000000940000-0x000000000097F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3008-111-0x0000000010004000-0x0000000010005000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3008-109-0x0000000004A50000-0x0000000005637000-memory.dmp

        Filesize

        11.9MB

        Download

      • memory/3008-110-0x0000000077A01000-0x0000000077B21000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3008-131-0x0000000004A50000-0x0000000005637000-memory.dmp

        Filesize

        11.9MB

        Download

      • memory/3008-114-0x0000000004A50000-0x0000000005637000-memory.dmp

        Filesize

        11.9MB

        Download

      • memory/3432-141-0x000000000CB30000-0x000000000FC24000-memory.dmp

        Filesize

        49.0MB

        Download

      • memory/3432-147-0x0000000002B10000-0x0000000002BB9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/5220-154-0x00000135D0A80000-0x00000135D0B43000-memory.dmp

        Filesize

        780KB

        Download