Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
Original copies of shipment docs.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Original copies of shipment docs.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
pic05678063.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
pic05678063.exe
Resource
win10v2004-20241007-en
General
-
Target
pic05678063.exe
-
Size
92KB
-
MD5
22b022a5547dbc1c9bcfb8e4d7eb440f
-
SHA1
952b628cb42495baf73c468d509f249d55aa7966
-
SHA256
c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414
-
SHA512
c1a8f88047f91c4ad9b0e916d17f2c32c3fa080208d1eb77cab0ce57bb8594337d324bf99275bca1c5eb89d5dcf5898ccefa9de83efbe9a3beb2369ac6355c76
-
SSDEEP
1536:RHR4uv4MRD+wmxH+2POAGcS5g0nhS61D4B:9ym+dRnC5g0ns61kB
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1xAtgeY-y0Ovf41LpAmat5XPeHwnWyI0P
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
pic05678063.exepic05678063.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe pic05678063.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe pic05678063.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
pic05678063.exepic05678063.exepid process 1120 pic05678063.exe 1428 pic05678063.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pic05678063.exedescription pid process target process PID 1120 set thread context of 1428 1120 pic05678063.exe pic05678063.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pic05678063.exepic05678063.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pic05678063.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pic05678063.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pic05678063.exepid process 1120 pic05678063.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
pic05678063.exepid process 1120 pic05678063.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
pic05678063.exedescription pid process target process PID 1120 wrote to memory of 1428 1120 pic05678063.exe pic05678063.exe PID 1120 wrote to memory of 1428 1120 pic05678063.exe pic05678063.exe PID 1120 wrote to memory of 1428 1120 pic05678063.exe pic05678063.exe PID 1120 wrote to memory of 1428 1120 pic05678063.exe pic05678063.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pic05678063.exe"C:\Users\Admin\AppData\Local\Temp\pic05678063.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\pic05678063.exe"C:\Users\Admin\AppData\Local\Temp\pic05678063.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1428
-