Overview

overview

10

Static

static

3

a7a04842ca...2f.exe

windows7-x64

10

a7a04842ca...2f.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe

  • Size

    652KB

  • MD5

    3783014e89435e8f979155435933d4f0

  • SHA1

    c711fb0d97d5d363e241ed5532c6331e0fe8aa57

  • SHA256

    a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f

  • SHA512

    611452baa7692ffd4a5f3fb73d60a0e1b4ecc8a77d1d94021c87e369909c8d9d583c5e2ae575fd7ebb95b5a3e70fb670fa4d97a4594644b74d1bb1adc9c75010

  • SSDEEP

    12288:NgeDYSnG4nSUWbjU0WHUMTJRewXLvWkgTkVj:tDYSnG4n2bjmHUMhvKI

Score
10/10
guloadercollectiondownloaderpersistencespywarestealer

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Detects executables built or packed with MPress PE compressor 15 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
    "C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
      "C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
        C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\utjxel"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4772
      • C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
        C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\enoqedtly"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:336
      • C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe
        C:\Users\Admin\AppData\Local\Temp\a7a04842ca3e817e5ae28cf389f590ba2a4f76c63e25249419bad63277b7312f.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppuafvmnmhhp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsz4661.tmp\System.dll
    Filesize

    11KB

    MD5

    fc3772787eb239ef4d0399680dcc4343

    SHA1

    db2fa99ec967178cd8057a14a428a8439a961a73

    SHA256

    9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

    SHA512

    79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\utjxel
    Filesize

    4KB

    MD5

    135c60fadfa99b241d9109417db8b53c

    SHA1

    b73785818a32e8d84bb55c02ccdc3d546a615526

    SHA256

    01fc52f877352f6252d3d9351993fc35d7b6b0051ac6d3146184e12f9bc6e704

    SHA512

    76812b91e51f1a206e3829b44cf13ee4cc4e5e90d88c0b0b3755b1e092eee26e6a4b18ef038a311a9443dab138761ff45fdd18145931207764c2355047611f51

    Download Submit

  • C:\Users\Admin\Pictures\belejrernes.lnk
    Filesize

    1KB

    MD5

    faa0fcb80d5343263f469e8733354215

    SHA1

    585955f30bc29b245140609efaafc7d3073b6c74

    SHA256

    36d94b5eb10a503d6ba59d0332120e6e9b3632faa6caab597d856192a9b28dc0

    SHA512

    7b9b63b692a57e7d77df6595d5f0d0cc9c05d360e969ede0e51a206deb88c410b602eff51e9b3cd527662f7ecefc98e14e2832b9b971bdba10f5b012f0b3352c

    Download Submit

  • memory/336-329-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/336-319-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/336-320-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/336-316-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2536-290-0x0000000077621000-0x0000000077741000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2536-291-0x0000000010004000-0x0000000010005000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-379-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-351-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-301-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-297-0x0000000001710000-0x0000000006F6F000-memory.dmp

    Filesize

    88.4MB

    Download

  • memory/3944-302-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-303-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-304-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-305-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-307-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-308-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-309-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-310-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-311-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-405-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-404-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-299-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-403-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-402-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-318-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-298-0x00000000004E4000-0x00000000004E5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-401-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-296-0x0000000077621000-0x0000000077741000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3944-295-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-400-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-358-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-399-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-336-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-342-0x0000000038430000-0x0000000038449000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3944-341-0x0000000038430000-0x0000000038449000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3944-338-0x0000000038430000-0x0000000038449000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3944-293-0x0000000077621000-0x0000000077741000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3944-343-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-344-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-345-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-346-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-347-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-348-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-349-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-357-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-359-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-352-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-354-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-355-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-356-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-350-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-398-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-300-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-360-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-361-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-362-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-363-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-364-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-365-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-366-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-368-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-369-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-370-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-371-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-372-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-373-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-374-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-375-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-377-0x0000000077621000-0x0000000077741000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3944-292-0x00000000776A8000-0x00000000776A9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-380-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-381-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-382-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-383-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-384-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-385-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-386-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-388-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-389-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-390-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-391-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-392-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-393-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-394-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-395-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-396-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3944-397-0x00000000004B0000-0x0000000001704000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4272-322-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4272-323-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4272-331-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4272-321-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4772-314-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4772-334-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4772-317-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4772-315-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download