Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 20:33

General

  • Target

    Purchase-Order#-09-06-2020-DSCN9863.JPG.exe

  • Size

    72KB

  • MD5

    a2fa0a3020ef282e2f397ea8ec65592c

  • SHA1

    4c38b13f35b3116e1bd41cd84fcea154a34a89d5

  • SHA256

    b3b69e42ac5da2d3576a2e740f09469af31c20e6ac6b5273ef429d4a9c84c073

  • SHA512

    5a0f77c85d5f4e47d2ab9f39c6ee23d15c238d1d198977029e34a81887fec15ab6242c1bc93a270275a16175762b6e0b1a6481b290cf175f185de7ce27bda440

  • SSDEEP

    768:bcQu1aL3mNtlrHBOjwtEnWDTTzhoFROZTHi6JuBGoCjeFYrolbdM9pGMgJOmsB:bjuRtSkQWXhrZriaRoCylhdSpG3L

Score
10/10

Malware Config

Extracted

Family

guloader

C2

http://ratamodu.ga/~zadmin/group/emma_tWzAetFZ73.bin

xor.base64

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase-Order#-09-06-2020-DSCN9863.JPG.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase-Order#-09-06-2020-DSCN9863.JPG.exe"
    1⤵
    • Checks QEMU agent file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Local\Temp\Purchase-Order#-09-06-2020-DSCN9863.JPG.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase-Order#-09-06-2020-DSCN9863.JPG.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2548-3-0x0000000000400000-0x000000000055D000-memory.dmp

    Filesize

    1.4MB

  • memory/2548-7-0x0000000000560000-0x0000000000660000-memory.dmp

    Filesize

    1024KB

  • memory/2548-8-0x0000000000400000-0x000000000055D000-memory.dmp

    Filesize

    1.4MB

  • memory/2548-10-0x0000000000560000-0x0000000000660000-memory.dmp

    Filesize

    1024KB

  • memory/2936-2-0x0000000000720000-0x0000000000728000-memory.dmp

    Filesize

    32KB

  • memory/2936-6-0x0000000000720000-0x0000000000728000-memory.dmp

    Filesize

    32KB

  • memory/2936-5-0x0000000077831000-0x0000000077951000-memory.dmp

    Filesize

    1.1MB