Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 00:13

General

  • Target

    ARAH%20BME%20SDN%20BHD%20INV%20STATEMENT.zip

  • Size

    634KB

  • MD5

    c9936b02187f484ce22f89470f80cdeb

  • SHA1

    8d97f4b6f142d623173ed6bbb02b27d6fdb60a7f

  • SHA256

    bf64141d69992e8ea43fad5e54127333c0f0613b193c43db36035c8cffdeecde

  • SHA512

    31292c430a3b495584ca52c8197e1c7d628c9f478d98eae46ea46a4d949a5ca3591492b82c8c10585d9cd6e10cb89758d83d5a17954084ab07ef9780867c5f44

  • SSDEEP

    12288:eZauYlUlJ7BB+5XsWg0L1LWphIKJYg+1I//CzIrUOGlGGVqnPxniyiQLRXXm:iaJOlp+dHxL6IKZ/0yUOGlF8i+dnm

Malware Config

Signatures

  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 19 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ARAH%20BME%20SDN%20BHD%20INV%20STATEMENT.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Users\Admin\AppData\Local\Temp\7zO020E2308\ARAH BME SDN BHD INV STATEMENT.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO020E2308\ARAH BME SDN BHD INV STATEMENT.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO020E2308\ARAH BME SDN BHD INV STATEMENT.exe"
        3⤵
        • Blocklisted process makes network request
        • Adds Run key to start application
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO020E2308\ARAH BME SDN BHD INV STATEMENT.exe

    Filesize

    658KB

    MD5

    031bc337fabe49aac9c372f16825354c

    SHA1

    7abb57546b33f2c3f91b2cc182186b0ed21b9544

    SHA256

    8450066748c90f306e28dee0fd262b9b1b8ed05ef40a8ee07b37bc6d0ce16764

    SHA512

    6fadb85a17597377a3a0c7c5ccb3d376412281be0ee166a0726fbf0ca18e2336002ca1adcb0822f360cda67661c5a6d5464e47aa1ebe3432ff8f5110bc5f13e7

  • C:\Users\Admin\AppData\Local\Temp\nsl6CC1.tmp\System.dll

    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

  • memory/892-30-0x0000000000400000-0x00000000005E4000-memory.dmp

    Filesize

    1.9MB

  • memory/2396-23-0x0000000004B20000-0x00000000062EB000-memory.dmp

    Filesize

    23.8MB

  • memory/2396-24-0x00000000744F5000-0x00000000744F6000-memory.dmp

    Filesize

    4KB

  • memory/2396-25-0x0000000004B20000-0x00000000062EB000-memory.dmp

    Filesize

    23.8MB