Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:13
Static task
static1
Behavioral task
behavioral1
Sample
ARAH%20BME%20SDN%20BHD%20INV%20STATEMENT.zip
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ARAH%20BME%20SDN%20BHD%20INV%20STATEMENT.zip
Resource
win10v2004-20241007-en
General
-
Target
ARAH%20BME%20SDN%20BHD%20INV%20STATEMENT.zip
-
Size
634KB
-
MD5
c9936b02187f484ce22f89470f80cdeb
-
SHA1
8d97f4b6f142d623173ed6bbb02b27d6fdb60a7f
-
SHA256
bf64141d69992e8ea43fad5e54127333c0f0613b193c43db36035c8cffdeecde
-
SHA512
31292c430a3b495584ca52c8197e1c7d628c9f478d98eae46ea46a4d949a5ca3591492b82c8c10585d9cd6e10cb89758d83d5a17954084ab07ef9780867c5f44
-
SSDEEP
12288:eZauYlUlJ7BB+5XsWg0L1LWphIKJYg+1I//CzIrUOGlGGVqnPxniyiQLRXXm:iaJOlp+dHxL6IKZ/0yUOGlF8i+dnm
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 19 IoCs
flow pid Process 41 892 powershell.exe 42 892 powershell.exe 44 892 powershell.exe 47 892 powershell.exe 48 892 powershell.exe 49 892 powershell.exe 50 892 powershell.exe 51 892 powershell.exe 56 892 powershell.exe 57 892 powershell.exe 58 892 powershell.exe 59 892 powershell.exe 63 892 powershell.exe 64 892 powershell.exe 65 892 powershell.exe 66 892 powershell.exe 68 892 powershell.exe 69 892 powershell.exe 70 892 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2396 ARAH BME SDN BHD INV STATEMENT.exe -
Loads dropped DLL 1 IoCs
pid Process 2396 ARAH BME SDN BHD INV STATEMENT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Hente = "C:\\Users\\Admin\\AppData\\Roaming\\Satinwood\\Sportswomanly.exe" powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 892 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2396 ARAH BME SDN BHD INV STATEMENT.exe 892 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2396 set thread context of 892 2396 ARAH BME SDN BHD INV STATEMENT.exe 105 -
resource yara_rule behavioral2/memory/892-30-0x0000000000400000-0x00000000005E4000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Rolff18\Eventyrligt135.ini ARAH BME SDN BHD INV STATEMENT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARAH BME SDN BHD INV STATEMENT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 32 7zFM.exe 32 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 32 7zFM.exe 892 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2396 ARAH BME SDN BHD INV STATEMENT.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 32 7zFM.exe Token: 35 32 7zFM.exe Token: SeSecurityPrivilege 32 7zFM.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 32 7zFM.exe 32 7zFM.exe 32 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 892 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 32 wrote to memory of 2396 32 7zFM.exe 102 PID 32 wrote to memory of 2396 32 7zFM.exe 102 PID 32 wrote to memory of 2396 32 7zFM.exe 102 PID 2396 wrote to memory of 892 2396 ARAH BME SDN BHD INV STATEMENT.exe 105 PID 2396 wrote to memory of 892 2396 ARAH BME SDN BHD INV STATEMENT.exe 105 PID 2396 wrote to memory of 892 2396 ARAH BME SDN BHD INV STATEMENT.exe 105 PID 2396 wrote to memory of 892 2396 ARAH BME SDN BHD INV STATEMENT.exe 105 PID 2396 wrote to memory of 892 2396 ARAH BME SDN BHD INV STATEMENT.exe 105
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ARAH%20BME%20SDN%20BHD%20INV%20STATEMENT.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Users\Admin\AppData\Local\Temp\7zO020E2308\ARAH BME SDN BHD INV STATEMENT.exe"C:\Users\Admin\AppData\Local\Temp\7zO020E2308\ARAH BME SDN BHD INV STATEMENT.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Users\Admin\AppData\Local\Temp\7zO020E2308\ARAH BME SDN BHD INV STATEMENT.exe"3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD5031bc337fabe49aac9c372f16825354c
SHA17abb57546b33f2c3f91b2cc182186b0ed21b9544
SHA2568450066748c90f306e28dee0fd262b9b1b8ed05ef40a8ee07b37bc6d0ce16764
SHA5126fadb85a17597377a3a0c7c5ccb3d376412281be0ee166a0726fbf0ca18e2336002ca1adcb0822f360cda67661c5a6d5464e47aa1ebe3432ff8f5110bc5f13e7
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88