Analysis Overview
SHA256
360acac9133b07ab36c79af7aa5e46850a97a297696bc812bfd25c4415ce4449
Threat Level: Known bad
The file PAYMENTADVICETT07180016-24_pdf.exe was found to be: Known bad.
Malicious Activity Summary
Guloader family
Guloader,Cloudeye
Disables Task Manager via registry modification
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-17 07:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-17 07:45
Reported
2024-12-17 07:47
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Disables Task Manager via registry modification
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\hjemmecomputeren.Pot | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1444 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe"
C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nst13A.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
memory/1444-16-0x0000000002F00000-0x0000000005821000-memory.dmp
memory/1444-18-0x0000000077180000-0x0000000077329000-memory.dmp
memory/1444-17-0x0000000077181000-0x0000000077282000-memory.dmp
memory/1444-19-0x0000000077370000-0x0000000077446000-memory.dmp
memory/1444-20-0x0000000002F00000-0x0000000005821000-memory.dmp
memory/2980-21-0x0000000077180000-0x0000000077329000-memory.dmp
memory/2980-44-0x0000000077180000-0x0000000077329000-memory.dmp
memory/2980-43-0x0000000000460000-0x00000000014C2000-memory.dmp
memory/2980-45-0x0000000000460000-0x00000000014C2000-memory.dmp
memory/2980-46-0x0000000000460000-0x000000000047E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-17 07:45
Reported
2024-12-17 07:47
Platform
win10v2004-20241007-en
Max time kernel
0s
Max time network
149s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\hjemmecomputeren.Pot | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe"
C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICETT07180016-24_pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 8.8.8.8:53 | 168.6.122.193.in-addr.arpa | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsk7A51.tmp\System.dll
| MD5 | ee260c45e97b62a5e42f17460d406068 |
| SHA1 | df35f6300a03c4d3d3bd69752574426296b78695 |
| SHA256 | e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27 |
| SHA512 | a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3 |
memory/4508-14-0x0000000002A60000-0x0000000005381000-memory.dmp
memory/4508-15-0x0000000077CB1000-0x0000000077DD1000-memory.dmp
memory/4508-16-0x0000000010004000-0x0000000010005000-memory.dmp
memory/4508-17-0x0000000002A60000-0x0000000005381000-memory.dmp
memory/1728-18-0x00000000016C0000-0x0000000003FE1000-memory.dmp
memory/1728-31-0x0000000000460000-0x00000000016B4000-memory.dmp
memory/1728-32-0x0000000000460000-0x000000000047E000-memory.dmp
memory/1728-34-0x0000000036C20000-0x0000000036CBC000-memory.dmp
memory/1728-33-0x0000000036D50000-0x00000000372F4000-memory.dmp
memory/1728-36-0x00000000016C0000-0x0000000003FE1000-memory.dmp
memory/1728-38-0x0000000037760000-0x00000000377B0000-memory.dmp
memory/1728-37-0x00000000376C0000-0x0000000037752000-memory.dmp
memory/1728-40-0x00000000378D0000-0x0000000037A92000-memory.dmp
memory/1728-41-0x0000000037B50000-0x0000000037B5A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-17 07:45
Reported
2024-12-17 07:47
Platform
win7-20241023-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-17 07:45
Reported
2024-12-17 07:47
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 664 wrote to memory of 4860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 664 wrote to memory of 4860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 664 wrote to memory of 4860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |