Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 09:47
Static task
static1
Behavioral task
behavioral1
Sample
WTF.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
WTF.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
WTF.exe
-
Size
344KB
-
MD5
9b3059448f3fa6da827ef925f9f86e33
-
SHA1
9854bd2c791a99d6409c66ea0f5806d615720e20
-
SHA256
8e9488d20c505541485cbaf7a2716c0567512de6f3f87bb34b5ddc87a0fe78b9
-
SHA512
f74f8dfe9f88ffc69e0d71c442b6195640a145da11c7d2bca5529710fa8fed2355d63e68e160f991a8c9d822561ce7e0d518a0075ef48710be3b24b26ea5cda0
-
SSDEEP
6144:IbE/HU7YLR1SIk6HRa5fjt/iW3DIM4xIhM1IiQ/q+A9TgOCkjMJCRu0Wp3Ww:IbALvSCHWf1tiQC+A9Tbz03Ww
Malware Config
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe WTF.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe WTF.exe -
Loads dropped DLL 1 IoCs
pid Process 1908 WTF.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1908 WTF.exe 2800 WTF.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1908 set thread context of 2800 1908 WTF.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WTF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WTF.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1908 WTF.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2800 1908 WTF.exe 30 PID 1908 wrote to memory of 2800 1908 WTF.exe 30 PID 1908 wrote to memory of 2800 1908 WTF.exe 30 PID 1908 wrote to memory of 2800 1908 WTF.exe 30 PID 1908 wrote to memory of 2800 1908 WTF.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\WTF.exe"C:\Users\Admin\AppData\Local\Temp\WTF.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\WTF.exe"C:\Users\Admin\AppData\Local\Temp\WTF.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88