Overview

overview

10

Static

static

3

654b1b7e0a...f3.exe

windows7-x64

10

654b1b7e0a...f3.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    139s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe

  • Size

    788KB

  • MD5

    a328e5c2bfd461feb3e832f24264abbe

  • SHA1

    d3397b8b8ff445ac3f7b27c12419ae8880b7ecd4

  • SHA256

    654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3

  • SHA512

    fb4a7a2b13000fc8955c9b5299a6f6b29d4ddb567fc1b04acc986d1e07522063416142cb3e9c270f8144a5aa35cd676def6eb1d73d65fe900d1154502c5d3bed

  • SSDEEP

    24576:8opVCF2Ga2nhKzo2sKc+sPP9Sw21Iimv1GUvgk:8sCF2GpLVPowarmv1bR

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
    "C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe
      "C:\Users\Admin\AppData\Local\Temp\654b1b7e0ab72f25833213fadaf8bac4d0c616c242b99525a722eee025a5adf3.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1588
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1144
        3⤵
        • Program crash
        PID:2256
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1588 -ip 1588
    1⤵
      PID:1396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsn8DBB.tmp\System.dll
      Filesize

      11KB

      MD5

      3f176d1ee13b0d7d6bd92e1c7a0b9bae

      SHA1

      fe582246792774c2c9dd15639ffa0aca90d6fd0b

      SHA256

      fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

      SHA512

      0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

      Download Submit

    • C:\Users\Admin\Desktop\sexbombes.ini
      Filesize

      48B

      MD5

      020722cea174cdf2e504cdd0944e9935

      SHA1

      11efb296d9c118b4f7101173e0fd3e7927286dfc

      SHA256

      abf81fb4711b6f9b7ec09239c71a231876e85a9035d90385058f386d638f2f05

      SHA512

      72d4ab9ff93befd603c90fccb732a57f96ef0f0b66dab0ac6855e6a36314c6739b0d032162619cde1667e192591f502ecbdaf194dac5a10aeb2b302d851b1341

      Download Submit

    • memory/1588-360-0x0000000001660000-0x0000000002291000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/1588-361-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1588-366-0x0000000001660000-0x0000000002291000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/1588-367-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1588-355-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1588-356-0x0000000001660000-0x0000000002291000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/1588-357-0x0000000077768000-0x0000000077769000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1588-358-0x0000000077785000-0x0000000077786000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1588-359-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1588-364-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1588-365-0x00000000776E1000-0x0000000077801000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1588-362-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1588-363-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2868-351-0x0000000004050000-0x0000000004C81000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/2868-352-0x00000000776E1000-0x0000000077801000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2868-354-0x0000000004050000-0x0000000004C81000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/2868-353-0x0000000010004000-0x0000000010005000-memory.dmp

      Filesize

      4KB

      Download