Analysis
-
max time kernel
140s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22/05/2024, 20:44
Static task
static1
Behavioral task
behavioral1
Sample
Gecikmis odeme.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Gecikmis odeme.exe
Resource
win10v2004-20240226-en
General
-
Target
Gecikmis odeme.exe
-
Size
104KB
-
MD5
bb357ccfe2cfcda6512d979e4bfd4b84
-
SHA1
9a63e5f0d0e5f66a9b7ee47a2fd7a2eeefab36e2
-
SHA256
0bd6c14cb1ba4500de6884448d122ad199f67cb56912533aef9cbbe7d7c3b66f
-
SHA512
8271bbb94a7d313f47e631f705c56f04b3af86541e448a9ab38c48173c4bef3afb7db21bb82ace31444b1d16910915c55d399260ff82e15cdabe37a8151f73b9
-
SSDEEP
768:En8cA69MRzXDRbfDbMh7aZRGNcxmT2dr7+4AHsE3FlgXmUbv/P9:O9MRzFbDbMh2uYq25+4s3FGtbv/P9
Malware Config
Extracted
guloader
https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1504 Gecikmis odeme.exe 2716 Gecikmis odeme.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1504 set thread context of 2716 1504 Gecikmis odeme.exe 96 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1504 Gecikmis odeme.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1504 Gecikmis odeme.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1504 wrote to memory of 2716 1504 Gecikmis odeme.exe 96 PID 1504 wrote to memory of 2716 1504 Gecikmis odeme.exe 96 PID 1504 wrote to memory of 2716 1504 Gecikmis odeme.exe 96 PID 1504 wrote to memory of 2716 1504 Gecikmis odeme.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gecikmis odeme.exe"C:\Users\Admin\AppData\Local\Temp\Gecikmis odeme.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\Gecikmis odeme.exe"C:\Users\Admin\AppData\Local\Temp\Gecikmis odeme.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4024