Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 06:16

General

  • Target

    Trykblgens.exe

  • Size

    354KB

  • MD5

    0f34c819b26907e1508f9cc886cd5440

  • SHA1

    790d7283f25f77ad24de07368194d4266c24f051

  • SHA256

    b199b1b1500796c646cfb42f1175b84b7e1493694a80bea9d5de5a0550ed4f92

  • SHA512

    9b359aaa21b81d6751f3ff1061286a7118847427a07b449e2d31f5dfad55d9ce6cd958b7e70b0d62cbe1b1bb4924af2673a35049ab821d5a57657bb077f55c8d

  • SSDEEP

    6144:tNDlOlZOvRQmfszRZBdhOSmhhyDRXR0OjN5c/9WG3ktHhpBnyv+bx2MTxrLM37Vh:tsZOv09dhOSmCVhjg/9WG3QBPyv+9Zt

Malware Config

Signatures

  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trykblgens.exe
    "C:\Users\Admin\AppData\Local\Temp\Trykblgens.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\AppData\Local\Temp\Trykblgens.exe
      "C:\Users\Admin\AppData\Local\Temp\Trykblgens.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:2932

Network

    No results found
  • 172.93.187.72:80
    Trykblgens.exe
    104 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    96 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    104 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    96 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    104 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    96 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    104 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    96 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    104 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    96 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    104 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    96 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    104 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    96 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    104 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    96 B
    2
  • 172.93.187.72:80
    Trykblgens.exe
    104 B
    2
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsdD3B4.tmp\System.dll

    Filesize

    12KB

    MD5

    8cf2ac271d7679b1d68eefc1ae0c5618

    SHA1

    7cc1caaa747ee16dc894a600a4256f64fa65a9b8

    SHA256

    6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

    SHA512

    ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

  • memory/752-11-0x0000000003F80000-0x0000000004E3E000-memory.dmp

    Filesize

    14.7MB

  • memory/752-12-0x0000000077811000-0x0000000077912000-memory.dmp

    Filesize

    1.0MB

  • memory/752-13-0x0000000077810000-0x00000000779B9000-memory.dmp

    Filesize

    1.7MB

  • memory/752-14-0x0000000003F80000-0x0000000004E3E000-memory.dmp

    Filesize

    14.7MB

  • memory/752-23-0x0000000003F80000-0x0000000004E3E000-memory.dmp

    Filesize

    14.7MB

  • memory/2932-15-0x0000000077810000-0x00000000779B9000-memory.dmp

    Filesize

    1.7MB

  • memory/2932-16-0x0000000077810000-0x00000000779B9000-memory.dmp

    Filesize

    1.7MB

  • memory/2932-17-0x0000000072DA0000-0x0000000073E02000-memory.dmp

    Filesize

    16.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.