Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
643c1b8444da8c89fa83aed917307b6c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
643c1b8444da8c89fa83aed917307b6c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
643c1b8444da8c89fa83aed917307b6c.exe
-
Size
933KB
-
MD5
643c1b8444da8c89fa83aed917307b6c
-
SHA1
dda8fa31873ef7f27e22f712a2e0b6a7ae91a582
-
SHA256
137742d1bb597a2818431b1634f38a9d93069afc1657955ef7144c152eb26f86
-
SHA512
61636bf0eabf40ef8085a68170339184a73b7a3a528604853a75e577b549240de7a78a1c879757b510a13746184caf678d05e1e77c8c7a9241cbd7c2e2b87def
-
SSDEEP
12288:2dD2EUL1JUodNF0bzjryAqlBGWcz+izP1niQPqDEfRuLCMrecszC/:wD2EK1JzW3jGxBGDaizPkY6/mMScs2
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 6 IoCs
pid Process 2848 643c1b8444da8c89fa83aed917307b6c.exe 2848 643c1b8444da8c89fa83aed917307b6c.exe 2848 643c1b8444da8c89fa83aed917307b6c.exe 2848 643c1b8444da8c89fa83aed917307b6c.exe 2848 643c1b8444da8c89fa83aed917307b6c.exe 2848 643c1b8444da8c89fa83aed917307b6c.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2680 643c1b8444da8c89fa83aed917307b6c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2848 643c1b8444da8c89fa83aed917307b6c.exe 2680 643c1b8444da8c89fa83aed917307b6c.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2848 set thread context of 2680 2848 643c1b8444da8c89fa83aed917307b6c.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2412 2680 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 643c1b8444da8c89fa83aed917307b6c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 643c1b8444da8c89fa83aed917307b6c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2680 643c1b8444da8c89fa83aed917307b6c.exe 2680 643c1b8444da8c89fa83aed917307b6c.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2848 643c1b8444da8c89fa83aed917307b6c.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2680 2848 643c1b8444da8c89fa83aed917307b6c.exe 94 PID 2848 wrote to memory of 2680 2848 643c1b8444da8c89fa83aed917307b6c.exe 94 PID 2848 wrote to memory of 2680 2848 643c1b8444da8c89fa83aed917307b6c.exe 94 PID 2848 wrote to memory of 2680 2848 643c1b8444da8c89fa83aed917307b6c.exe 94 PID 2848 wrote to memory of 2680 2848 643c1b8444da8c89fa83aed917307b6c.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 10523⤵
- Program crash
PID:2412
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2680 -ip 26801⤵PID:4948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD561f69388ae89d61a3d838cbcf81b4f82
SHA1e595c0236a373a6ac79c334dc183ee03ca8f8ecd
SHA256d65875bb4bc121f81384d55fde90dd9eb9ad1878cd8a02bcb5c8a933c3987a61
SHA51221d34738cc21c1ef6b0ef1ac53659cdab224bbc20ea983f9a952a2cb4b5785a07bb18c0acf22a0d12a94795e1fc6d314f442c923bb1a93b675edac8c6aacf469
-
Filesize
11KB
MD54ca4fd3fbefa2f6e87e6e9ee87d1c0b3
SHA17cdbeb5ff2b14b86af04e075d0ca651183ea5df4
SHA256d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57
SHA512cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8