Overview

overview

10

Static

static

3

Staff Atte...DF.exe

windows7-x64

10

Staff Atte...DF.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Staff Attendance Submission for Payroll Processing (July 07 - November 07, 2024) PDF.exe

  • Size

    401KB

  • MD5

    a62db3b4c45f6012c0951c72be7e339a

  • SHA1

    635ddbd1e2884f847fa3e60fd547e8dc958af4d1

  • SHA256

    82f6981ed7bd0008afe2369debe26bfd84d7e9ee5d54e4741ebb3e29c3794e8e

  • SHA512

    f2f72f9ebae0339adba033689e42d9eb7ad7c79ed759c01283c5d1ec2bf24e2a983ba495fec3d5ec14c40f97ccd4c86e155822fb3e5400057f16c3a9a32625c7

  • SSDEEP

    12288:z0m2XWPUR9fBnEwEe6V0Lu6eRmwVbVsCI/:ujvZnEdfgegwVbVsX

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Staff Attendance Submission for Payroll Processing (July 07 - November 07, 2024) PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Staff Attendance Submission for Payroll Processing (July 07 - November 07, 2024) PDF.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 528
      2⤵
      • Program crash
      PID:1912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsoE15B.tmp\System.dll
    Filesize

    11KB

    MD5

    34442e1e0c2870341df55e1b7b3cccdc

    SHA1

    99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

    SHA256

    269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

    SHA512

    4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

    Download Submit

  • memory/1968-27-0x00000000037E0000-0x0000000005236000-memory.dmp

    Filesize

    26.3MB

    Download

  • memory/1968-28-0x00000000037E0000-0x0000000005236000-memory.dmp

    Filesize

    26.3MB

    Download