Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2024 01:51

General

  • Target

    Letter of Intent (LOI) For the Company November 2024 PDF.exe

  • Size

    851KB

  • MD5

    629be165860d2336755de85467756639

  • SHA1

    af1da57d01a00bf942e127cce60fb4208bfd9795

  • SHA256

    e9617a78c93e6d5cdc1087dfa6e9bf9d63406e05b6b01135c189242a7c33718c

  • SHA512

    418f56a804212158033b1ae592cafeb8fa1c5a0d9506eb541beb7762c23ebfe5c61dbac8588c350816c229e9f6d77457e361423146874695976c1b8d9267cbff

  • SSDEEP

    24576:ZNAsPMh+Cdd8509puHmATonQ1htKzWbGWO:dPMvA509pkonAhtHbnO

Malware Config

Signatures

  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nseEBB7.tmp\System.dll

    Filesize

    11KB

    MD5

    be2621a78a13a56cf09e00dd98488360

    SHA1

    75f0539dc6af200a07cdb056cddddec595c6cfd2

    SHA256

    852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5

    SHA512

    b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1

  • memory/2176-37-0x00000000772F0000-0x0000000077499000-memory.dmp

    Filesize

    1.7MB

  • memory/2176-36-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/2176-39-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/2448-31-0x0000000003190000-0x0000000004735000-memory.dmp

    Filesize

    21.6MB

  • memory/2448-32-0x0000000003190000-0x0000000004735000-memory.dmp

    Filesize

    21.6MB

  • memory/2448-33-0x00000000772F1000-0x00000000773F2000-memory.dmp

    Filesize

    1.0MB

  • memory/2448-34-0x00000000772F0000-0x0000000077499000-memory.dmp

    Filesize

    1.7MB

  • memory/2448-35-0x0000000003190000-0x0000000004735000-memory.dmp

    Filesize

    21.6MB