Overview
overview
10Static
static
3HDFJFDFF89869.pdf
windows7-x64
3HDFJFDFF89869.pdf
windows10-2004-x64
3MORK095434...DF.exe
windows7-x64
10MORK095434...DF.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Skottehues...e.html
windows7-x64
3Skottehues...e.html
windows10-2004-x64
3Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 21:35
Static task
static1
Behavioral task
behavioral1
Sample
HDFJFDFF89869.pdf
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
HDFJFDFF89869.pdf
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
MORK095434567890.PDF.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MORK095434567890.PDF.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Skottehues/Hofhold/PSReadline.html
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Skottehues/Hofhold/PSReadline.html
Resource
win10v2004-20241007-en
General
-
Target
MORK095434567890.PDF.exe
-
Size
142KB
-
MD5
835fbcba74e794db42ef2a52d9155d82
-
SHA1
99e05046bfd1a9cb6bb2479106a18862623e9bd4
-
SHA256
0c0df1fa2c8daf189de955db2390ed192692e8d011bf28488e55ed4cc2adbaee
-
SHA512
f602f8078e36586e4625b992ca6cb7970e9ed1f0daa19fd21e4beb1266d9308a015ad7568806ec6fce57628d5b027e4474ac37ad7206ff6e049a25f719996cd1
-
SSDEEP
3072:N1T//IHWyWJADJuaXmrbDb+x1IbqKswR4fzcC1osBg7XneldEszWxMF:7//I2y3dX0Db+xU7swKfQYBAneld7d
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
pid Process 1712 MORK095434567890.PDF.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MORK095434567890.PDF.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ee260c45e97b62a5e42f17460d406068
SHA1df35f6300a03c4d3d3bd69752574426296b78695
SHA256e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3
-
Filesize
40B
MD5550d45f9054da69ce0c0dde8c4b4e415
SHA182cce0309d229ebf5fd668e6d150f53442e64a7f
SHA256a8a18540676218ff133c951b7d981e1e5b5ff0f3e2fb2aed5a8abc0ce02c956f
SHA512189cbb9b9ad4c23536eeb0ea41df8834fd85b5eadbb996fc751240ee2b51c3062d77499668b3ede8c6093fce13e5e9fd05537e74d93cc99c44328c05012388f3