Overview

overview

10

Static

static

1

Stateent6_...df.exe

windows7-x64

6

Stateent6_...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stateent6_from_emerat_group.pdf.exe

  • Size

    263KB

  • MD5

    5da57fce93a85e91d68c9d9fe5fa71c8

  • SHA1

    e2dcbfd47f2e6f33bb5a594c789b67a7f0585f3a

  • SHA256

    4f9cda81a57f8eb019f94a2983c56f5f8a50813d332dd3207f33f97fdc55346e

  • SHA512

    f7042e72bc5856b285ffbefc7139665762d313af155b4419ee3b8d7840cca089ad14ad94f5ddc97d0860a7c6f8c5af5e8493b49533c77bc372281b97008020a0

  • SSDEEP

    6144:ip0TLAkzL7r9r/EDppppppppppppppppppppppppppppp0G7:iuTNP7r9r/+pppppppppppppppppppph

Score
10/10
guloaderdownloaderguloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://onedrive.live.com/download?cid=886791A338196A5D&resid=886791A338196A5D%211899&authkey=AOIrPjbXhW_WZVo

xor.base64

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Guloader payload 2 IoCs
    guloader
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stateent6_from_emerat_group.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Stateent6_from_emerat_group.pdf.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\Stateent6_from_emerat_group.pdf.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2924-6-0x0000000077981000-0x0000000077AA1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2924-5-0x0000000000B00000-0x0000000000C00000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4304-2-0x0000000002250000-0x0000000002257000-memory.dmp
    Filesize

    28KB

    Download
  • memory/4304-3-0x0000000077981000-0x0000000077AA1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4304-10-0x0000000002250000-0x0000000002257000-memory.dmp
    Filesize

    28KB

    Download
  • memory/4304-11-0x0000000002250000-0x0000000002257000-memory.dmp
    Filesize

    28KB

    Download