Overview

overview

10

Static

static

3

ORDER TEMA...df.exe

windows7-x64

10

ORDER TEMA...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER TEMAQTN03420.pdf.exe

  • Size

    92KB

  • MD5

    112face4604bd6d53890c720014aa6ad

  • SHA1

    c02b7af506322cfcd47b2baae832453fbf327850

  • SHA256

    2736a22d053fb69491862c85b4365fdc772d33ad83dcef7f426e6bcd725b9301

  • SHA512

    d5aaf2765f4fd1667a4aaef1e6f57c084c06964fb88ee30903864fc3102da8cd574954cb8d9b2739daaa8d07fa79ee8433acf35cf5b4eca1f2936035f5b9417f

  • SSDEEP

    1536:VOxgxgIyddH/uMKkpxBQ6N5PxbMKkpxBQngxgIyddH/:w8fyddfu8pxBQ6Txb8pxBQn8fyddf

Score
10/10
guloaderdownloaderguloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Guloader payload 1 IoCs
    guloader
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER TEMAQTN03420.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER TEMAQTN03420.pdf.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\ORDER TEMAQTN03420.pdf.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2484-4-0x0000000000B00000-0x0000000000C00000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4828-2-0x00000000020A0000-0x00000000020A9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4828-3-0x0000000077BC1000-0x0000000077CE1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4828-6-0x00000000020A0000-0x00000000020A9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4828-7-0x00000000020A0000-0x00000000020A9000-memory.dmp
    Filesize

    36KB

    Download