Overview

overview

10

Static

static

1

New Order-...NV.vbe

windows7-x64

10

New Order-...NV.vbe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Order-USA-JULY INQUIRY-RFQ_MTR052019NV.zip

  • Size

    5KB

  • Sample

    240704-jj6vaa1cnn

  • MD5

    c4f45f2f29a12a83e9105fc7c4b8b740

  • SHA1

    56ea8d718797132e375b1b1c7152dbc33ea0ed38

  • SHA256

    0886ace0f3bd52a2f2f97f1449b00aa7a875a6cbaa8361de5ca79b99c5e2d0e9

  • SHA512

    7e39b602c12a697954891aeb0d7c4789626a511adc2ae88730a7cab7411a4a6372d899f64d6a0fcc6af330425b859fd472d0a224cef9d3f3d7b89bd612638250

  • SSDEEP

    96:1+5Oj+1a+4cHlXam+t0Yz92Ns2n58qptS2IvYZ5/qRfXfZfGXeUYsFr4XxXcHbVr:1FQaHc700Yz9QduTAS1ZGLYsyNejQZcb

Score
10/10
guloaderdownloaderexecutionpersistence

Malware Config

Targets

    • Target

      New Order-USA-JULY INQUIRY-RFQ_MTR052019NV.vbe

    • Size

      9KB

    • MD5

      27b373a50962c2f8fe26274c147195cd

    • SHA1

      1bba2d71036d371f78d628ac9c6cc13221d9ee89

    • SHA256

      3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee

    • SHA512

      dde61a1a192e888bd47135be665678b2334efb8d860ec0ea2224e1d17b95da3cbdad3fb79eff428ae99e0514d8e301d2b424c54127f8f621889e95a4ed888111

    • SSDEEP

      192:pzu36F4teCvSV/mcS36C2W3E11hEAGst4QoKVYHva607dqh2eyTxN8mSVqn:436Se4z36A3cDt/Rdb8miqn

    Score
    10/10
    guloaderdownloaderexecutionpersistence

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks