Overview

overview

10

Static

static

1

a3c3fcc02a...6a.exe

windows7-x64

8

a3c3fcc02a...6a.exe

windows10-2004-x64

10

$_12_/Crystalizer.ps1

windows7-x64

3

$_12_/Crystalizer.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe

  • Size

    624KB

  • MD5

    f08d6545c74d5a429d8225885b81f55a

  • SHA1

    f95b76f2d791105cd9c942c704fbf223d27892ad

  • SHA256

    a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a

  • SHA512

    325f87497a9994b4213eb14bde7e62aa586644a6eba0ef3323a095e4f1d4f43547e6f1363079df165a2c2ec39853ce22d4617eaa05676bd61ec745d852e92fc6

  • SSDEEP

    12288:B/tGh4HqBbV0/tQv6o1xMKZoRmpfSJ9OI1rbIAPxEq:BQhW9/66mMK2kpaJdbpPxX

Score
10/10
guloaderdiscoverydownloaderexecution

Malware Config

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Blocklisted process makes network request 9 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe
    "C:\Users\Admin\AppData\Local\Temp\a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Phthalic=Get-Content -raw 'C:\Users\Admin\AppData\Local\dockers\fabriksguvlet\Crystalizer.Syn';$Medialises=$Phthalic.SubString(54841,3);.$Medialises($Phthalic)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:4232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5r5aocke.tjs.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\dockers\fabriksguvlet\Crystalizer.Syn
    Filesize

    53KB

    MD5

    b6a2296e8b10cd624e538e4d115344d2

    SHA1

    a121b8415406491326ff8a15af93fc8b6c1657d9

    SHA256

    13b35482d6f13a556d05c3eb00235ccc32138ae94f7d3fe3917081c35adc7925

    SHA512

    ad216d5308e80a366f6c28ec7a676b187971199c4d8c15b1b7511528c78768d588fb445f86ea2520e930f018bb9b51153b2bd9f39951ff04118e2e68e8634815

    Download Submit

  • C:\Users\Admin\AppData\Local\dockers\fabriksguvlet\Isbrydende.afr
    Filesize

    286KB

    MD5

    a1b94b654c739e207a77ad8005c85af0

    SHA1

    45f0f0c78c1311168d0d76f182170c910ff1370c

    SHA256

    1e32700523bba02e59560527d35c63d8abd04418a9434f5fbc5dd51e5dee3144

    SHA512

    3705019ec49cee8b68ef9535ee4290c00045a57a0da172e473fce805f4b1f016d063d4b6bd2ff58cf4b57d25b82530a623376069a4f34d9823f76ed1971202ef

    Download Submit

  • memory/2948-30-0x0000000006030000-0x000000000607C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2948-29-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2948-54-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-14-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-23-0x0000000005990000-0x00000000059F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2948-22-0x0000000005920000-0x0000000005986000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2948-28-0x0000000005B00000-0x0000000005E54000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2948-52-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-11-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-31-0x0000000006FB0000-0x0000000007046000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2948-33-0x0000000006580000-0x00000000065A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2948-32-0x0000000006530000-0x000000000654A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2948-51-0x00000000074A0000-0x0000000007543000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2948-13-0x00000000050B0000-0x00000000056D8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2948-36-0x0000000008230000-0x00000000088AA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2948-37-0x0000000007430000-0x0000000007462000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2948-39-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-38-0x0000000070410000-0x000000007045C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2948-40-0x0000000070570000-0x00000000708C4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2948-50-0x0000000007470000-0x000000000748E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2948-34-0x0000000007600000-0x0000000007BA4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2948-15-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-17-0x0000000005880000-0x00000000058A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2948-53-0x00000000075A0000-0x00000000075AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2948-56-0x0000000007D20000-0x0000000007D44000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2948-55-0x0000000007CF0000-0x0000000007D1A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2948-57-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-59-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-60-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-61-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-12-0x0000000004A40000-0x0000000004A76000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2948-63-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-64-0x00000000088B0000-0x0000000009ACC000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/2948-65-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-66-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-67-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-68-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-69-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2948-70-0x0000000073F90000-0x0000000074740000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4232-71-0x0000000002260000-0x000000000347C000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4232-73-0x0000000002260000-0x000000000347C000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4232-72-0x0000000001000000-0x0000000002254000-memory.dmp

    Filesize

    18.3MB

    Download