guloader | 487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

Resubmissions

16/04/2025, 16:46

250416-vaaahaxnt9 10

16/04/2025, 13:10

250416-qerccswjt5 10

16/04/2025, 12:57

250416-p6x4jsvrx2 10

16/04/2025, 12:51

250416-p3kn2svrv5 10

Analysis

max time kernel
118s
max time network
118s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2025, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virusshare/3/VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Size

64KB
MD5

4aa5734fe9c86184f931f4ddaf2d4d7b
SHA1

a066ccad76f3c63d053cd68ac8692d4f4acf82ac
SHA256

2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa
SHA512

7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c
SSDEEP

384:rdP9JIA7uJ1wK2xBpHbVbl+NGYD90pSCfZziEKffhaekBfdReVwoGHdRsArr2rOR:R9JIqNl/SSrrpBfiIdRsorZucnjtsq

Score

10^/10

guloader discovery downloader persistence

Malware Config

Extracted

Family

guloader

https://eficadgdl.com/well/Omitted-Credentials_encrypted_6A17930.bin

xor.base64

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 16 IoCs

pid	Process
2008	erythroph.exe
4996	erythroph.exe
3344	erythroph.exe
5124	erythroph.exe
4564	erythroph.exe
5184	erythroph.exe
5848	erythroph.exe
4844	erythroph.exe
5580	erythroph.exe
5172	erythroph.exe
4972	erythroph.exe
4256	erythroph.exe
3376	erythroph.exe
5688	erythroph.exe
3512	erythroph.exe
2692	erythroph.exe

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-599783296-1627459723-2423478968-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Slngkapper9 = "C:\\Users\\Admin\\TROFFE\\erythroph.exe"	RegAsm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
3136	RegAsm.exe
2008	erythroph.exe
5176	RegAsm.exe
4996	erythroph.exe
5032	RegAsm.exe
3344	erythroph.exe
6052	RegAsm.exe
5124	erythroph.exe
2080	RegAsm.exe
4564	erythroph.exe
912	RegAsm.exe
5184	erythroph.exe
2512	RegAsm.exe
5848	erythroph.exe
3144	RegAsm.exe
4844	erythroph.exe
2032	RegAsm.exe
5580	erythroph.exe
5776	RegAsm.exe
5172	erythroph.exe
1892	RegAsm.exe
4972	erythroph.exe
1080	RegAsm.exe
4256	erythroph.exe
2736	RegAsm.exe
3376	erythroph.exe
4896	RegAsm.exe
5688	erythroph.exe
5044	RegAsm.exe
3512	erythroph.exe
3580	RegAsm.exe
2692	erythroph.exe
6016	RegAsm.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 3136	3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 2008 set thread context of 5176	2008	erythroph.exe	85
PID 4996 set thread context of 5032	4996	erythroph.exe	90
PID 3344 set thread context of 6052	3344	erythroph.exe	95
PID 5124 set thread context of 2080	5124	erythroph.exe	100
PID 4564 set thread context of 912	4564	erythroph.exe	105
PID 5184 set thread context of 2512	5184	erythroph.exe	110
PID 5848 set thread context of 3144	5848	erythroph.exe	115
PID 4844 set thread context of 2032	4844	erythroph.exe	121
PID 5580 set thread context of 5776	5580	erythroph.exe	126
PID 5172 set thread context of 1892	5172	erythroph.exe	131
PID 4972 set thread context of 1080	4972	erythroph.exe	136
PID 4256 set thread context of 2736	4256	erythroph.exe	143
PID 3376 set thread context of 4896	3376	erythroph.exe	148
PID 5688 set thread context of 5044	5688	erythroph.exe	153
PID 3512 set thread context of 3580	3512	erythroph.exe	159
PID 2692 set thread context of 6016	2692	erythroph.exe	164

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erythroph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
2008	erythroph.exe
4996	erythroph.exe
3344	erythroph.exe
5124	erythroph.exe
4564	erythroph.exe
5184	erythroph.exe
5848	erythroph.exe
4844	erythroph.exe
4844	erythroph.exe
5580	erythroph.exe
5172	erythroph.exe
4972	erythroph.exe
4256	erythroph.exe
4256	erythroph.exe
4256	erythroph.exe
3376	erythroph.exe
5688	erythroph.exe
3512	erythroph.exe
3512	erythroph.exe
2692	erythroph.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
2008	erythroph.exe
4996	erythroph.exe
3344	erythroph.exe
5124	erythroph.exe
4564	erythroph.exe
5184	erythroph.exe
5848	erythroph.exe
4844	erythroph.exe
5580	erythroph.exe
5172	erythroph.exe
4972	erythroph.exe
4256	erythroph.exe
3376	erythroph.exe
5688	erythroph.exe
3512	erythroph.exe
2692	erythroph.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 3424	3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 3184 wrote to memory of 3424	3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 3184 wrote to memory of 3424	3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	79
PID 3184 wrote to memory of 3136	3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 3184 wrote to memory of 3136	3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 3184 wrote to memory of 3136	3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 3184 wrote to memory of 3136	3184	VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe	80
PID 4892 wrote to memory of 2008	4892	cmd.exe	84
PID 4892 wrote to memory of 2008	4892	cmd.exe	84
PID 4892 wrote to memory of 2008	4892	cmd.exe	84
PID 2008 wrote to memory of 5176	2008	erythroph.exe	85
PID 2008 wrote to memory of 5176	2008	erythroph.exe	85
PID 2008 wrote to memory of 5176	2008	erythroph.exe	85
PID 2008 wrote to memory of 5176	2008	erythroph.exe	85
PID 3004 wrote to memory of 4996	3004	cmd.exe	89
PID 3004 wrote to memory of 4996	3004	cmd.exe	89
PID 3004 wrote to memory of 4996	3004	cmd.exe	89
PID 4996 wrote to memory of 5032	4996	erythroph.exe	90
PID 4996 wrote to memory of 5032	4996	erythroph.exe	90
PID 4996 wrote to memory of 5032	4996	erythroph.exe	90
PID 4996 wrote to memory of 5032	4996	erythroph.exe	90
PID 4376 wrote to memory of 3344	4376	cmd.exe	94
PID 4376 wrote to memory of 3344	4376	cmd.exe	94
PID 4376 wrote to memory of 3344	4376	cmd.exe	94
PID 3344 wrote to memory of 6052	3344	erythroph.exe	95
PID 3344 wrote to memory of 6052	3344	erythroph.exe	95
PID 3344 wrote to memory of 6052	3344	erythroph.exe	95
PID 3344 wrote to memory of 6052	3344	erythroph.exe	95
PID 5644 wrote to memory of 5124	5644	cmd.exe	99
PID 5644 wrote to memory of 5124	5644	cmd.exe	99
PID 5644 wrote to memory of 5124	5644	cmd.exe	99
PID 5124 wrote to memory of 2080	5124	erythroph.exe	100
PID 5124 wrote to memory of 2080	5124	erythroph.exe	100
PID 5124 wrote to memory of 2080	5124	erythroph.exe	100
PID 5124 wrote to memory of 2080	5124	erythroph.exe	100
PID 4732 wrote to memory of 4564	4732	cmd.exe	104
PID 4732 wrote to memory of 4564	4732	cmd.exe	104
PID 4732 wrote to memory of 4564	4732	cmd.exe	104
PID 4564 wrote to memory of 912	4564	erythroph.exe	105
PID 4564 wrote to memory of 912	4564	erythroph.exe	105
PID 4564 wrote to memory of 912	4564	erythroph.exe	105
PID 4564 wrote to memory of 912	4564	erythroph.exe	105
PID 5556 wrote to memory of 5184	5556	cmd.exe	109
PID 5556 wrote to memory of 5184	5556	cmd.exe	109
PID 5556 wrote to memory of 5184	5556	cmd.exe	109
PID 5184 wrote to memory of 2512	5184	erythroph.exe	110
PID 5184 wrote to memory of 2512	5184	erythroph.exe	110
PID 5184 wrote to memory of 2512	5184	erythroph.exe	110
PID 5184 wrote to memory of 2512	5184	erythroph.exe	110
PID 4000 wrote to memory of 5848	4000	cmd.exe	114
PID 4000 wrote to memory of 5848	4000	cmd.exe	114
PID 4000 wrote to memory of 5848	4000	cmd.exe	114
PID 5848 wrote to memory of 3144	5848	erythroph.exe	115
PID 5848 wrote to memory of 3144	5848	erythroph.exe	115
PID 5848 wrote to memory of 3144	5848	erythroph.exe	115
PID 5848 wrote to memory of 3144	5848	erythroph.exe	115
PID 3844 wrote to memory of 4844	3844	cmd.exe	119
PID 3844 wrote to memory of 4844	3844	cmd.exe	119
PID 3844 wrote to memory of 4844	3844	cmd.exe	119
PID 4844 wrote to memory of 1880	4844	erythroph.exe	120
PID 4844 wrote to memory of 1880	4844	erythroph.exe	120
PID 4844 wrote to memory of 1880	4844	erythroph.exe	120
PID 4844 wrote to memory of 2032	4844	erythroph.exe	121
PID 4844 wrote to memory of 2032	4844	erythroph.exe	121

C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
"C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  PID:3424
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5644
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5124
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5556
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5184
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:1880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5104
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5580
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5772
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5172
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1392
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:4972
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:5024
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:4256
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:424
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:1664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4296
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:3376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1172
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:5688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:4072
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:3512
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    PID:768
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\TROFFE\erythroph.exe
1⤵
PID:1488
- C:\Users\Admin\TROFFE\erythroph.exe
  C:\Users\Admin\TROFFE\erythroph.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    C:\Users\Admin\TROFFE\erythroph.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6016

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\TROFFE\erythroph.exe

Filesize
64KB

MD5
4aa5734fe9c86184f931f4ddaf2d4d7b

SHA1
a066ccad76f3c63d053cd68ac8692d4f4acf82ac

SHA256
2e18ad3e470b97415beb2cdb8e3ef7510bad21f0a5add020a7f9343dd959eeaa

SHA512
7355ffd3fc59af49af1d57f5327c7442a12c8e5ddc6ec9e176cc27fd4986cd6182f5f6ce91f892c07029efcac37f90d4dd077b6bb226b54c40621b94987a044c

Download Submit
memory/2008-13-0x00007FF8B05E0000-0x00007FF8B07E9000-memory.dmp

Filesize
2.0MB

Download
memory/2032-63-0x0000000074EA0000-0x000000007512A000-memory.dmp

Filesize
2.5MB

Download
memory/3136-5-0x00007FF8B05E0000-0x00007FF8B07E9000-memory.dmp

Filesize
2.0MB

Download
memory/3136-7-0x00007FF8B05E0000-0x00007FF8B07E9000-memory.dmp

Filesize
2.0MB

Download
memory/3136-34-0x00007FF8B05E0000-0x00007FF8B07E9000-memory.dmp

Filesize
2.0MB

Download
memory/3184-2-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/3184-4-0x00007FF8B05E0000-0x00007FF8B07E9000-memory.dmp

Filesize
2.0MB

Download
memory/3184-24-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/3184-3-0x00007FF8B05E1000-0x00007FF8B070A000-memory.dmp

Filesize
1.2MB

Download
memory/3184-65-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/5176-14-0x00007FF8B05E0000-0x00007FF8B07E9000-memory.dmp

Filesize
2.0MB

Download
memory/5176-53-0x00007FF8B05E0000-0x00007FF8B07E9000-memory.dmp

Filesize
2.0MB

Download
memory/5776-64-0x0000000074EA0000-0x000000007512A000-memory.dmp

Filesize
2.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads