Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 10:07
Static task
static1
Behavioral task
behavioral1
Sample
4.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
keelhauls.scr
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
keelhauls.scr
Resource
win10v2004-20240508-en
General
-
Target
4.exe
-
Size
849KB
-
MD5
1e6cb04df9502e8cb007a482c663bc9d
-
SHA1
f53cf395db96bca467de325491ac09cfb8d388fc
-
SHA256
a7afb33b403ad33bf2421901d5ed9aad4e7ee362f343a86f313897713f595625
-
SHA512
8c962d165a951644c0c5bf52b95159185a49657facd1f6b3c443fe3dc2af11ab6af8c3e511a37e2581e2cf3e27b7671b0bc5b7762a3fb38b3a273afee6790e57
-
SSDEEP
12288:hcIjd3nQIQsk3na+QidVt1+DXuY4Dc25c2YDX8Y/RN4Yx6m:hcIjUna3imz4DTg5vl
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
4.exepid process 2360 4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
4.exe4.exepid process 2360 4.exe 1684 4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4.exedescription pid process target process PID 2360 set thread context of 1684 2360 4.exe 4.exe -
Drops file in Windows directory 1 IoCs
Processes:
4.exedescription ioc process File opened for modification C:\Windows\reassigned\sandi.ini 4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4.exepid process 2360 4.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
4.exedescription pid process target process PID 2360 wrote to memory of 1684 2360 4.exe 4.exe PID 2360 wrote to memory of 1684 2360 4.exe 4.exe PID 2360 wrote to memory of 1684 2360 4.exe 4.exe PID 2360 wrote to memory of 1684 2360 4.exe 4.exe PID 2360 wrote to memory of 1684 2360 4.exe 4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsy5054.tmp\System.dllFilesize
11KB
MD555a26d7800446f1373056064c64c3ce8
SHA180256857e9a0a9c8897923b717f3435295a76002
SHA256904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA51204b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
-
memory/1684-27-0x0000000001700000-0x000000000270D000-memory.dmpFilesize
16.1MB
-
memory/1684-28-0x0000000077588000-0x0000000077589000-memory.dmpFilesize
4KB
-
memory/1684-30-0x00000000775A5000-0x00000000775A6000-memory.dmpFilesize
4KB
-
memory/1684-31-0x00000000004A0000-0x00000000016F4000-memory.dmpFilesize
18.3MB
-
memory/1684-32-0x0000000001700000-0x000000000270D000-memory.dmpFilesize
16.1MB
-
memory/1684-34-0x0000000077501000-0x0000000077621000-memory.dmpFilesize
1.1MB
-
memory/2360-24-0x0000000004A10000-0x0000000005A1D000-memory.dmpFilesize
16.1MB
-
memory/2360-25-0x0000000077501000-0x0000000077621000-memory.dmpFilesize
1.1MB
-
memory/2360-26-0x0000000010004000-0x0000000010005000-memory.dmpFilesize
4KB
-
memory/2360-29-0x0000000004A10000-0x0000000005A1D000-memory.dmpFilesize
16.1MB
-
memory/2360-39-0x0000000004A10000-0x0000000005A1D000-memory.dmpFilesize
16.1MB