Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
ORDER TEMAQTN03420.pdf.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ORDER TEMAQTN03420.pdf.exe
Resource
win10v2004-20240508-en
General
-
Target
ORDER TEMAQTN03420.pdf.exe
-
Size
92KB
-
MD5
112face4604bd6d53890c720014aa6ad
-
SHA1
c02b7af506322cfcd47b2baae832453fbf327850
-
SHA256
2736a22d053fb69491862c85b4365fdc772d33ad83dcef7f426e6bcd725b9301
-
SHA512
d5aaf2765f4fd1667a4aaef1e6f57c084c06964fb88ee30903864fc3102da8cd574954cb8d9b2739daaa8d07fa79ee8433acf35cf5b4eca1f2936035f5b9417f
-
SSDEEP
1536:VOxgxgIyddH/uMKkpxBQ6N5PxbMKkpxBQngxgIyddH/:w8fyddfu8pxBQ6Txb8pxBQn8fyddf
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2484-4-0x0000000000B00000-0x0000000000C00000-memory.dmp family_guloader -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Ultrasel3 = "C:\\Users\\Admin\\Parturit\\Regnorm.bat" RegAsm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
Processes:
flow ioc 14 drive.google.com 17 drive.google.com 18 drive.google.com 19 drive.google.com 2 drive.google.com 10 drive.google.com 12 drive.google.com 13 drive.google.com 15 drive.google.com 16 drive.google.com 5 drive.google.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
ORDER TEMAQTN03420.pdf.exeRegAsm.exepid process 4828 ORDER TEMAQTN03420.pdf.exe 2484 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ORDER TEMAQTN03420.pdf.exedescription pid process target process PID 4828 set thread context of 2484 4828 ORDER TEMAQTN03420.pdf.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ORDER TEMAQTN03420.pdf.exepid process 4828 ORDER TEMAQTN03420.pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ORDER TEMAQTN03420.pdf.exepid process 4828 ORDER TEMAQTN03420.pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ORDER TEMAQTN03420.pdf.exedescription pid process target process PID 4828 wrote to memory of 2484 4828 ORDER TEMAQTN03420.pdf.exe RegAsm.exe PID 4828 wrote to memory of 2484 4828 ORDER TEMAQTN03420.pdf.exe RegAsm.exe PID 4828 wrote to memory of 2484 4828 ORDER TEMAQTN03420.pdf.exe RegAsm.exe PID 4828 wrote to memory of 2484 4828 ORDER TEMAQTN03420.pdf.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER TEMAQTN03420.pdf.exe"C:\Users\Admin\AppData\Local\Temp\ORDER TEMAQTN03420.pdf.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\ORDER TEMAQTN03420.pdf.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2484-4-0x0000000000B00000-0x0000000000C00000-memory.dmpFilesize
1024KB
-
memory/4828-2-0x00000000020A0000-0x00000000020A9000-memory.dmpFilesize
36KB
-
memory/4828-3-0x0000000077BC1000-0x0000000077CE1000-memory.dmpFilesize
1.1MB
-
memory/4828-6-0x00000000020A0000-0x00000000020A9000-memory.dmpFilesize
36KB
-
memory/4828-7-0x00000000020A0000-0x00000000020A9000-memory.dmpFilesize
36KB