guloader | f8abb401812eafff1ca24fbafc67d5cdb34ba384da284b55d5350a5300fb7757

Analysis

max time kernel
150s
max time network
112s
platform
windows10_x64
resource
win10v20210408
submitted
19-04-2021 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
Size

438KB
MD5

c82d1d8b8fc5cbbf8ee05bee229a3a76
SHA1

eeaba79a2d490544ccf4c75f93e6456ab474f800
SHA256

f8abb401812eafff1ca24fbafc67d5cdb34ba384da284b55d5350a5300fb7757
SHA512

01bd7148e3befa03dd6e548c2c0784849f730165b43dec14f18262b1ee0e592b0e4132f0acf01f9b4d9d46074f0c2b26b5e626cd54d39f88113d10bd684387dc

Score

10^/10

guloader downloader evasion guloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Guloader Payload 1 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/3152-153-0x00000000020E0000-0x00000000020EF000-memory.dmp	family_guloader

Executes dropped EXE 6 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3152 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
2300 icsys.icn.exe
972 explorer.exe
4028 spoolsv.exe
2196 svchost.exe
3584 spoolsv.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3152	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
2300	icsys.icn.exe
972	explorer.exe
4028	spoolsv.exe
2196	svchost.exe
3584	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
2300	icsys.icn.exe
2300	icsys.icn.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
2196	svchost.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
972	explorer.exe
2196	svchost.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe
972	explorer.exe
2196	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

972 explorer.exe
2196 svchost.exe

pid	process
972	explorer.exe
2196	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exe

description	pid	process
Token: SeShutdownPrivilege	3152	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
Token: SeCreatePagefilePrivilege	3152	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exec82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
804	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
804	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
3152	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
2300	icsys.icn.exe
2300	icsys.icn.exe
972	explorer.exe
972	explorer.exe
4028	spoolsv.exe
4028	spoolsv.exe
2196	svchost.exe
2196	svchost.exe
3584	spoolsv.exe
3584	spoolsv.exe
972	explorer.exe
972	explorer.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 804 wrote to memory of 3152	804	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 804 wrote to memory of 3152	804	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 804 wrote to memory of 3152	804	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 804 wrote to memory of 2300	804	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 804 wrote to memory of 2300	804	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 804 wrote to memory of 2300	804	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 2300 wrote to memory of 972	2300	icsys.icn.exe	explorer.exe
PID 2300 wrote to memory of 972	2300	icsys.icn.exe	explorer.exe
PID 2300 wrote to memory of 972	2300	icsys.icn.exe	explorer.exe
PID 972 wrote to memory of 4028	972	explorer.exe	spoolsv.exe
PID 972 wrote to memory of 4028	972	explorer.exe	spoolsv.exe
PID 972 wrote to memory of 4028	972	explorer.exe	spoolsv.exe
PID 4028 wrote to memory of 2196	4028	spoolsv.exe	svchost.exe
PID 4028 wrote to memory of 2196	4028	spoolsv.exe	svchost.exe
PID 4028 wrote to memory of 2196	4028	spoolsv.exe	svchost.exe
PID 2196 wrote to memory of 3584	2196	svchost.exe	spoolsv.exe
PID 2196 wrote to memory of 3584	2196	svchost.exe	spoolsv.exe
PID 2196 wrote to memory of 3584	2196	svchost.exe	spoolsv.exe
PID 2196 wrote to memory of 2808	2196	svchost.exe	at.exe
PID 2196 wrote to memory of 2808	2196	svchost.exe	at.exe
PID 2196 wrote to memory of 2808	2196	svchost.exe	at.exe
PID 2196 wrote to memory of 2192	2196	svchost.exe	at.exe
PID 2196 wrote to memory of 2192	2196	svchost.exe	at.exe
PID 2196 wrote to memory of 2192	2196	svchost.exe	at.exe
PID 2196 wrote to memory of 1648	2196	svchost.exe	at.exe
PID 2196 wrote to memory of 1648	2196	svchost.exe	at.exe
PID 2196 wrote to memory of 1648	2196	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
"C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

\??\c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Windows\SysWOW64\at.exe
at 20:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2808

C:\Windows\SysWOW64\at.exe
at 20:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2192

C:\Windows\SysWOW64\at.exe
at 20:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
MD5
81f33af36aa74b241608c2f1ae494ab9

SHA1
057a50d03af170a3137ba1a94db45dcc1898e708

SHA256
ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90

SHA512
c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
MD5
455c155a23342f28b1cdbfd5d620f129

SHA1
89b1c98e97e29e178cb7433f801dc4fb7b2d4e03

SHA256
86c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15

SHA512
00bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
MD5
455c155a23342f28b1cdbfd5d620f129

SHA1
89b1c98e97e29e178cb7433f801dc4fb7b2d4e03

SHA256
86c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15

SHA512
00bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
MD5
0f960b71b449d7d4f123e52e26f25f87

SHA1
7bf7f13fe82fdb8ef26b2ec2d8a3bbd410f62e81

SHA256
cd5ccf88e9762f1ab6feec282dbe82955e7fd501f0a9f77a9b67754915533f5d

SHA512
727e08242883163d2b9c9e4e20abfb957d60cd0268bc81a2fbecf3b880102705f0948a67a519e0c6d346729df1d4fe520d0f449d2458f6d77a452bc8a111eacf

Download Submit
C:\Windows\System\explorer.exe
MD5
d72f8a971f7c82bc80e9d4ed49e2acc7

SHA1
7af7c4580add78ce7352b0256e182155125bee48

SHA256
594b3740a2df142bd50c20ed4ba90cb32df82ed9caade67651ff523163f47a55

SHA512
1183bebaefb470203b009fa64d8cf3458295e2ced5ac6c73025adddc0bf60a632ad33c94b267026243e5e61f0281f88bc1cbacc78abe8b7d47c6afa63d5f2ff6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ce1b9ade04721c8dc5e994e71db68545

SHA1
a44e1d16089d06e4841ee5c3f1315d255f1650c0

SHA256
47335d4e7554c76f67449c1b8d24fafee8e8a004cac5bdf7d9ea301fb4c1435f

SHA512
810b7c8609dcbfc349858d2e8b54d392119205113c2939f7b9959d1eed054748f12da9e7d87429d169da8aa52374b5b1493506a1a094b2f296d134a3176e3e0a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ce1b9ade04721c8dc5e994e71db68545

SHA1
a44e1d16089d06e4841ee5c3f1315d255f1650c0

SHA256
47335d4e7554c76f67449c1b8d24fafee8e8a004cac5bdf7d9ea301fb4c1435f

SHA512
810b7c8609dcbfc349858d2e8b54d392119205113c2939f7b9959d1eed054748f12da9e7d87429d169da8aa52374b5b1493506a1a094b2f296d134a3176e3e0a

Download Submit
C:\Windows\System\svchost.exe
MD5
d62968130c1dfba07918b7a45b02d20e

SHA1
bb7f5c720bd8324aad2b3670f9ed669dfab1e96b

SHA256
af493442327ffcbc7fa19a935ed18c5eaca6a51ab2b1ab92531a0c8b0fcad759

SHA512
76d419ce0407a2d2fc2501dda8604d34f9eae6c64203bf8d1a79330520fd0649ddd25579dfe7fe22de905d2b7f79b8cabc81ff5bca48147d75ef9a453e7bbb58

Download Submit
\??\c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
MD5
81f33af36aa74b241608c2f1ae494ab9

SHA1
057a50d03af170a3137ba1a94db45dcc1898e708

SHA256
ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90

SHA512
c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f

Download Submit
\??\c:\windows\system\explorer.exe
MD5
d72f8a971f7c82bc80e9d4ed49e2acc7

SHA1
7af7c4580add78ce7352b0256e182155125bee48

SHA256
594b3740a2df142bd50c20ed4ba90cb32df82ed9caade67651ff523163f47a55

SHA512
1183bebaefb470203b009fa64d8cf3458295e2ced5ac6c73025adddc0bf60a632ad33c94b267026243e5e61f0281f88bc1cbacc78abe8b7d47c6afa63d5f2ff6

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
ce1b9ade04721c8dc5e994e71db68545

SHA1
a44e1d16089d06e4841ee5c3f1315d255f1650c0

SHA256
47335d4e7554c76f67449c1b8d24fafee8e8a004cac5bdf7d9ea301fb4c1435f

SHA512
810b7c8609dcbfc349858d2e8b54d392119205113c2939f7b9959d1eed054748f12da9e7d87429d169da8aa52374b5b1493506a1a094b2f296d134a3176e3e0a

Download Submit
\??\c:\windows\system\svchost.exe
MD5
d62968130c1dfba07918b7a45b02d20e

SHA1
bb7f5c720bd8324aad2b3670f9ed669dfab1e96b

SHA256
af493442327ffcbc7fa19a935ed18c5eaca6a51ab2b1ab92531a0c8b0fcad759

SHA512
76d419ce0407a2d2fc2501dda8604d34f9eae6c64203bf8d1a79330520fd0649ddd25579dfe7fe22de905d2b7f79b8cabc81ff5bca48147d75ef9a453e7bbb58

Download Submit
memory/972-128-0x0000000000000000-mapping.dmp

Download
memory/1648-155-0x0000000000000000-mapping.dmp

Download
memory/2192-154-0x0000000000000000-mapping.dmp

Download
memory/2196-140-0x0000000000000000-mapping.dmp

Download
memory/2300-122-0x0000000000000000-mapping.dmp

Download
memory/2808-151-0x0000000000000000-mapping.dmp

Download
memory/3152-117-0x0000000000000000-mapping.dmp

Download
memory/3152-153-0x00000000020E0000-0x00000000020EF000-memory.dmp

Filesize
60KB

Download
memory/3584-146-0x0000000000000000-mapping.dmp

Download
memory/4028-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads