Overview

overview

10

Static

static

3

3b0f3fe33e...cb.exe

windows7-x64

8

3b0f3fe33e...cb.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe

  • Size

    476KB

  • MD5

    992095bdc04df2604858b99e80c8d2ec

  • SHA1

    d4004b6b5dacf8ece15f09e74ce7eb9b3cecc4d4

  • SHA256

    3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb

  • SHA512

    3d96c6d499811e8aaf308660b71c1239c4998bbed6d7d4a1b29bf2c47434683286f954b30d569fef8d8512935212770b094b7bffea2714a7254cfe24866f2da4

  • SSDEEP

    12288:8M2yMkxqt160wyP7at1BIHHgWuutYaNSohL:fMkxqtY0wztVutDhZ

Score
10/10
guloaderdownloaderexecution

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe
    "C:\Users\Admin\AppData\Local\Temp\3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Scaw=Get-Content 'C:\Users\Admin\AppData\Roaming\Grydeskeen146\sdfdsf\Adterminal\Navnerkke.Alk';$Gauzed=$Scaw.SubString(51560,3);.$Gauzed($Scaw)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:5468
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:3388
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:5840

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgshzycf.q2g.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsy273B.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        ac0f93b2dec82e9579bff14c8572a6c8

        SHA1

        6460244317cbb77e342adb3561ec3acb496c84d5

        SHA256

        3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34

        SHA512

        8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Grydeskeen146\sdfdsf\Adterminal\Navnerkke.Alk
        Filesize

        50KB

        MD5

        3f7018700a7560609c29a8bb03125143

        SHA1

        1a9b1676d0307d82fce0eed252f64491e7cf28ab

        SHA256

        0db8d7a889166b3e1d9da5b2bbc971b7f4625b7acaa5f01efc8d4540705daa33

        SHA512

        3655878a8c95c29728093b959bc978dee62e5af19c737c40644933d982f0a2f18aa2c2ec714ae169aaae706034bd4b2e960c22e9df478e7b36f36b74b35e13e6

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Grydeskeen146\sdfdsf\Strninger.Nom
        Filesize

        332KB

        MD5

        87a7d73f5fb0ae5c247898e637f04a22

        SHA1

        e7b8fe0e70b196b6cca56d9ed8dfa34a9394eebd

        SHA256

        9d1c6a04ef010dbb1f4c619b1da43f55134b40a5b5634ca4f574cbfdf6f3b598

        SHA512

        8eae07b18788f3a612ddbbebca2adb258612b455a8625aa01cb63dc454b1d7b03de49fedb7ee6bd695a575440f3d90c18cd4e5cb6bf606df25b2a8d35a27ada1

        Download Submit

      • memory/1956-41-0x00000000063B0000-0x0000000006446000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1956-44-0x0000000007490000-0x0000000007A34000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1956-25-0x0000000005720000-0x0000000005786000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1956-26-0x0000000005790000-0x00000000057F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1956-23-0x0000000005040000-0x0000000005668000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1956-36-0x0000000005900000-0x0000000005C54000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1956-37-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1956-38-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1956-39-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1956-40-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1956-22-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1956-42-0x0000000006350000-0x000000000636A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1956-43-0x0000000006E40000-0x0000000006E62000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1956-24-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1956-21-0x0000000004870000-0x00000000048A6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1956-46-0x00000000080C0000-0x000000000873A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1956-47-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1956-49-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1956-20-0x0000000073D4E000-0x0000000073D4F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1956-51-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1956-53-0x0000000008740000-0x0000000009B01000-memory.dmp

        Filesize

        19.8MB

        Download

      • memory/1956-54-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1956-55-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1956-56-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1956-57-0x0000000073D40000-0x00000000744F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3388-58-0x0000000001920000-0x0000000002CE1000-memory.dmp

        Filesize

        19.8MB

        Download