Analysis Overview
SHA256
5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0
Threat Level: Known bad
The file 5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe was found to be: Known bad.
Malicious Activity Summary
Guloader family
Guloader,Cloudeye
Loads dropped DLL
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 14:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-06 14:45
Reported
2024-11-06 14:47
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4608 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4608 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4608 wrote to memory of 2724 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2724 -ip 2724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 14:45
Reported
2024-11-06 14:47
Platform
win7-20240903-en
Max time kernel
9s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\customization.rom | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\primy.ini | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe
"C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe"
Network
Files
C:\Windows\Resources\primy.ini
| MD5 | 76d9175a3db7407eb0bfc3c07ddcd9d2 |
| SHA1 | 72071127e9a44935cb02650ed715ccaf6a8f8418 |
| SHA256 | 1f7119996dd17af05bf05e497104715bbbc3909676afa4329fbd59502be1a1a5 |
| SHA512 | 5032dab71e70a4bd1dad2f5cf9380e0097be7993bc46886fed6e4bdd8781f2b10d31338d90d0dc5804665bda2cbfe93f1172250e1a8ab7c9118baf9f156e3c69 |
\Users\Admin\AppData\Local\Temp\nsyC4A7.tmp\System.dll
| MD5 | 192639861e3dc2dc5c08bb8f8c7260d5 |
| SHA1 | 58d30e460609e22fa0098bc27d928b689ef9af78 |
| SHA256 | 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6 |
| SHA512 | 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc |
memory/1620-23239-0x00000000031F0000-0x0000000003C59000-memory.dmp
memory/1620-23242-0x00000000031F0000-0x0000000003C59000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 14:45
Reported
2024-11-06 14:47
Platform
win10v2004-20241007-en
Max time kernel
13s
Max time network
145s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\customization.rom | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\primy.ini | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe
"C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe"
C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe
"C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kmsaksesuar.com | udp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
| US | 44.28.239.165:443 | kmsaksesuar.com | tcp |
Files
C:\Windows\Resources\primy.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\nsa8629.tmp\System.dll
| MD5 | 192639861e3dc2dc5c08bb8f8c7260d5 |
| SHA1 | 58d30e460609e22fa0098bc27d928b689ef9af78 |
| SHA256 | 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6 |
| SHA512 | 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc |
memory/4324-23237-0x0000000002F20000-0x0000000003989000-memory.dmp
memory/4324-23238-0x0000000077BE1000-0x0000000077D01000-memory.dmp
memory/4324-23239-0x00000000748D5000-0x00000000748D6000-memory.dmp
memory/4324-23240-0x0000000002F20000-0x0000000003989000-memory.dmp
memory/3660-23241-0x0000000000400000-0x0000000001654000-memory.dmp
memory/3660-23242-0x0000000001660000-0x00000000020C9000-memory.dmp
memory/3660-23243-0x0000000077C68000-0x0000000077C69000-memory.dmp
memory/3660-23244-0x0000000077C85000-0x0000000077C86000-memory.dmp
memory/3660-23245-0x0000000001660000-0x00000000020C9000-memory.dmp
memory/3660-23247-0x0000000077BE1000-0x0000000077D01000-memory.dmp
memory/3660-23246-0x0000000000400000-0x0000000001654000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-06 14:45
Reported
2024-11-06 14:47
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 220