Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
21/11/2024, 19:59
General
-
Target
ATTACHED ORIGINAL REF __NOTE.exe
-
Size
252KB
-
MD5
995a9f0d72ee6407f3979543930d80ae
-
SHA1
8e38d89ab142ccbfb95952f873f49df56ab65055
-
SHA256
77a74587d301dfd79d5c60a874ac580e83c389e8566261f60b09d87cdffa2e38
-
SHA512
f72e8016c05880bc5a338266e5f4859b88c3c66b262264ce48fb30ca4efbf53eb6101579f46c4f83794ebb332a78e45bda8088b9707454b959a640b0b3278f1e
-
SSDEEP
3072:A1p9M3scGOWyLvr1f+lwYuJIVPUVJXgcAm6S6l7g98HimFx1zeBgxX:3nG1eJffYuJ4cVdx36Fl7U8mBe
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1-7CEqaIs0xr7KeLf1RsQKlZCjSlB91Jb
Extracted
xloader
2.3
i8be
cdymjim.icu
globalmilitaryaircraft.com
slusheestore.com
freepdfconvert.net
itadsweden.com
legenddocs.com
metholyptus.com
966cm.com
mobilitygloves-protect.com
travaze.net
go-kalisa.com
believehavefaith.com
nywebhost.com
semitsol.com
wowyuu.net
cochesb2b.com
gobesttobuy.com
senmec23.com
bmsgw.com
newazenterprise.com
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader family
-
Xloader payload 3 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ATTACHED ORIGINAL REF __NOTE.exe"C:\Users\Admin\AppData\Local\Temp\ATTACHED ORIGINAL REF __NOTE.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ATTACHED ORIGINAL REF __NOTE.exe"C:\Users\Admin\AppData\Local\Temp\ATTACHED ORIGINAL REF __NOTE.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ATTACHED ORIGINAL REF __NOTE.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.7MB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
1.0MB
-
Filesize
856KB
-
Filesize
52KB
-
Filesize
856KB
-
Filesize
1.3MB
-
Filesize
1024KB
-
Filesize
1.3MB
-
Filesize
1.7MB
-
Filesize
1024KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
160KB