Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-10-2024 15:47
General
-
Target
Device/HarddiskVolume4/Users/belia.peso.IBEROSTARHV.000/AppData/Local/Temp/Rar$EXa7092.35635/factura 563423.exe
-
Size
901KB
-
MD5
6cb35cad38c80bbb552c99caf75f9371
-
SHA1
f1dcc7d9805738aaf1f30b32383674ea30706269
-
SHA256
057e7554f7a499adfd2c0a3485675fef4f602b23e2e0a1fd4e07da5b993e4ebf
-
SHA512
638594b7228a8e747c34f1ab7916774feaff1ce58e875e64bb28cc6742472a305c5aa06e709ec708aad990d9e78ce828509af8a575b3fe62082699de1bb81734
-
SSDEEP
12288:TSlZI9dcNnPmsS7wkJW7DQFeh2FCCMntz6I8128TsXULDh+gDBf6j4Ydcv+l:2lTnpc/J2d2UVf+DLD1BbYGW
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume4\Users\belia.peso.IBEROSTARHV.000\AppData\Local\Temp\Rar$EXa7092.35635\factura 563423.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 4563⤵
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
860B
MD53f645fe4b4adce1d1472df12098eff41
SHA17a0765c17cbf95a6e4b9cefc58cd1680da327b76
SHA2563d2ab3b3b6bab614b83a710c24bcddc0a468ad5347e47d11658b83ddcffb56c0
SHA5120df3d528004da1ddaabddd1e6f732e98905837e8f512bbd4bbed57e6d3c28a04ba85b3372372e9b4ac6a9420b564dde931601ae18ad3b84039eb4ea1b4caaf41
-
Filesize
830B
MD5c6fd1538cea9d4df087e2d323d7704d1
SHA1ab425391c84cdbfa97dcbcc132251574ad2d214b
SHA25699ef8ab7d11ea63fb02550b0882a4a2a537374449d44782bc504a8dedc00bdfc
SHA512adcad143ac989da96ed754875c4e999ee25d5c97c423b2503c7c1b7bee6c998c27483d22cdf85a90c7a8b23f93122652688ea383c1cc19589912af0bfb6188f9
-
Filesize
11KB
MD5cf85183b87314359488b850f9e97a698
SHA16b6c790037eec7ebea4d05590359cb4473f19aea
SHA2563b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac
SHA512fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b
-
Filesize
16.4MB
-
Filesize
1.7MB
-
Filesize
16.4MB
-
Filesize
16.4MB
-
Filesize
16.4MB
-
Filesize
24.4MB
-
Filesize
1.0MB
-
Filesize
1.7MB
-
Filesize
24.4MB