Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe
Resource
win10v2004-20240508-en
General
-
Target
1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe
-
Size
84KB
-
MD5
71239d39b96b5cdc10d1ff98af0f07d0
-
SHA1
b89353b7d545270833a56f81f26724510ed5471b
-
SHA256
1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae
-
SHA512
646370e996d05d759f933ff7839d46a115a9fe236fa897c7af555400085a96289cb120e7224bb0302f70dd1cb0a84c4ac7ecbdfa25760b3e9c42712cfc6663a5
-
SSDEEP
1536:V8ysFY6TjMuToZPp0goKKHmGvPQJRWhRDQ/R:7xuQu4n4wJRWi
Malware Config
Extracted
guloader
https://onedrive.live.com/download?cid=10C44A5247ACCFDE&resid=10C44A5247ACCFDE%21149&authkey=AKZCgadhv8s_S8Y
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2508-2-0x00000000003C0000-0x00000000003C8000-memory.dmp family_guloader behavioral1/memory/2508-5-0x00000000003C0000-0x00000000003C8000-memory.dmp family_guloader -
Checks QEMU agent file 2 TTPs 1 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exepid process 2508 1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exepid process 2508 1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe"C:\Users\Admin\AppData\Local\Temp\1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2508-2-0x00000000003C0000-0x00000000003C8000-memory.dmpFilesize
32KB
-
memory/2508-3-0x0000000076D01000-0x0000000076E02000-memory.dmpFilesize
1.0MB
-
memory/2508-4-0x0000000076D00000-0x0000000076EA9000-memory.dmpFilesize
1.7MB
-
memory/2508-5-0x00000000003C0000-0x00000000003C8000-memory.dmpFilesize
32KB