Overview

overview

10

Static

static

3

3d3752119f...3a.exe

windows7-x64

10

3d3752119f...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d3752119fed970cc7e132848158f6193e8ce7f9e0a6c23f50b56c002d57de3a.exe

  • Size

    136KB

  • MD5

    a33dae9378ae60792b7a379d35c3d72d

  • SHA1

    33bd58b106f79dbafc21eea039ede3f3c8ae5bfe

  • SHA256

    3d3752119fed970cc7e132848158f6193e8ce7f9e0a6c23f50b56c002d57de3a

  • SHA512

    a1ca4811a4c3f77cc264d5282775f9d38029320e4b2eabbce6b373d81f1ceb554a0f4a4bb6eda9675c78a036acde9ad381ea201b618a0f1d44a3ba9ca567ab66

  • SSDEEP

    1536:jSMJImKSOog+MxVnWzC5sWgzb7W/MEA6Jm2taMMco3vu:ll1OogjVnQCia/lAYViu

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d3752119fed970cc7e132848158f6193e8ce7f9e0a6c23f50b56c002d57de3a.exe
    "C:\Users\Admin\AppData\Local\Temp\3d3752119fed970cc7e132848158f6193e8ce7f9e0a6c23f50b56c002d57de3a.exe"
    1⤵
    • Checks QEMU agent file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\3d3752119fed970cc7e132848158f6193e8ce7f9e0a6c23f50b56c002d57de3a.exe
      "C:\Users\Admin\AppData\Local\Temp\3d3752119fed970cc7e132848158f6193e8ce7f9e0a6c23f50b56c002d57de3a.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:3092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2672-2-0x0000000002AC0000-0x0000000002AD7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2672-3-0x0000000077281000-0x00000000773A1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2672-4-0x0000000002AC0000-0x0000000002AD7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2672-7-0x0000000002AC0000-0x0000000002AD7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3092-5-0x0000000000400000-0x000000000055D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3092-8-0x0000000000560000-0x0000000000660000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3092-9-0x0000000077281000-0x00000000773A1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3092-10-0x0000000000560000-0x0000000000660000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3092-17-0x0000000000400000-0x000000000055D000-memory.dmp

    Filesize

    1.4MB

    Download