guloader | f8abb401812eafff1ca24fbafc67d5cdb34ba384da284b55d5350a5300fb7757

Analysis

max time kernel
152s
max time network
113s
platform
windows10_x64
resource
win10v20210408
submitted
19-04-2021 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
Size

438KB
MD5

c82d1d8b8fc5cbbf8ee05bee229a3a76
SHA1

eeaba79a2d490544ccf4c75f93e6456ab474f800
SHA256

f8abb401812eafff1ca24fbafc67d5cdb34ba384da284b55d5350a5300fb7757
SHA512

01bd7148e3befa03dd6e548c2c0784849f730165b43dec14f18262b1ee0e592b0e4132f0acf01f9b4d9d46074f0c2b26b5e626cd54d39f88113d10bd684387dc

Score

10^/10

guloader downloader evasion guloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Guloader Payload 1 IoCs

guloader

Processes:

resource	yara_rule
behavioral2/memory/3568-153-0x0000000002910000-0x000000000291F000-memory.dmp	family_guloader

Executes dropped EXE 6 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3568 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
2988 icsys.icn.exe
2100 explorer.exe
4032 spoolsv.exe
2308 svchost.exe
2656 spoolsv.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3568	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
2988	icsys.icn.exe
2100	explorer.exe
4032	spoolsv.exe
2308	svchost.exe
2656	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exesvchost.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
2988	icsys.icn.exe
2988	icsys.icn.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe
2308	svchost.exe
2308	svchost.exe
2100	explorer.exe
2100	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2100 explorer.exe
2308 svchost.exe

pid	process
2100	explorer.exe
2308	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exe

description	pid	process
Token: SeShutdownPrivilege	3568	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
Token: SeCreatePagefilePrivilege	3568	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exec82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3492	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
3492	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
3568	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
2988	icsys.icn.exe
2988	icsys.icn.exe
2100	explorer.exe
2100	explorer.exe
4032	spoolsv.exe
4032	spoolsv.exe
2308	svchost.exe
2308	svchost.exe
2656	spoolsv.exe
2656	spoolsv.exe
2100	explorer.exe
2100	explorer.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3492 wrote to memory of 3568	3492	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 3492 wrote to memory of 3568	3492	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 3492 wrote to memory of 3568	3492	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 3492 wrote to memory of 2988	3492	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 3492 wrote to memory of 2988	3492	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 3492 wrote to memory of 2988	3492	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 2988 wrote to memory of 2100	2988	icsys.icn.exe	explorer.exe
PID 2988 wrote to memory of 2100	2988	icsys.icn.exe	explorer.exe
PID 2988 wrote to memory of 2100	2988	icsys.icn.exe	explorer.exe
PID 2100 wrote to memory of 4032	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 4032	2100	explorer.exe	spoolsv.exe
PID 2100 wrote to memory of 4032	2100	explorer.exe	spoolsv.exe
PID 4032 wrote to memory of 2308	4032	spoolsv.exe	svchost.exe
PID 4032 wrote to memory of 2308	4032	spoolsv.exe	svchost.exe
PID 4032 wrote to memory of 2308	4032	spoolsv.exe	svchost.exe
PID 2308 wrote to memory of 2656	2308	svchost.exe	spoolsv.exe
PID 2308 wrote to memory of 2656	2308	svchost.exe	spoolsv.exe
PID 2308 wrote to memory of 2656	2308	svchost.exe	spoolsv.exe
PID 2308 wrote to memory of 3924	2308	svchost.exe	at.exe
PID 2308 wrote to memory of 3924	2308	svchost.exe	at.exe
PID 2308 wrote to memory of 3924	2308	svchost.exe	at.exe
PID 2308 wrote to memory of 2288	2308	svchost.exe	at.exe
PID 2308 wrote to memory of 2288	2308	svchost.exe	at.exe
PID 2308 wrote to memory of 2288	2308	svchost.exe	at.exe
PID 2308 wrote to memory of 2640	2308	svchost.exe	at.exe
PID 2308 wrote to memory of 2640	2308	svchost.exe	at.exe
PID 2308 wrote to memory of 2640	2308	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
"C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492

\??\c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\at.exe
at 19:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:3924

C:\Windows\SysWOW64\at.exe
at 19:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2288

C:\Windows\SysWOW64\at.exe
at 19:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2640

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
MD5
81f33af36aa74b241608c2f1ae494ab9

SHA1
057a50d03af170a3137ba1a94db45dcc1898e708

SHA256
ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90

SHA512
c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
MD5
455c155a23342f28b1cdbfd5d620f129

SHA1
89b1c98e97e29e178cb7433f801dc4fb7b2d4e03

SHA256
86c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15

SHA512
00bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
MD5
455c155a23342f28b1cdbfd5d620f129

SHA1
89b1c98e97e29e178cb7433f801dc4fb7b2d4e03

SHA256
86c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15

SHA512
00bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
MD5
9209a2d03398f99c10701f44d71dc2bb

SHA1
6c0ad8e6bd42fe0b06e627092f1085c736bdc2e8

SHA256
a42fe328e3e434cf1d699d29060b1e1e8b3972a600cbfbf92326cbf58cd407ca

SHA512
99db259aa1779c2215710716536eb48523e4e5a5f1bf84b0cc8d54ca17c5651f48bddabc3bedd7e7e83ec6e81942ca47aa4ddaa1d86b4c6dfeb249860adddfbc

Download Submit
C:\Windows\System\explorer.exe
MD5
b491d8c7ae0d7ad20a0f4885d3033aa9

SHA1
4747ac69f50dcb3736a7c08461b144d667ab4c88

SHA256
0bc00f14615b3ae9848e451500c261e4e28e87cbb96384091fc82df669853fad

SHA512
846eebbb7a44cded43538627774eda5111262b0163688465344719ff365bc3078ef01f2748ca648dd56c2d62b3ea63b9ef916e29b59d84fcf6db2fffe36b443d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ca294e3beb7c60fe1cf96afa2910afa4

SHA1
5965257b43a27a6a69281050fcc49cb1839bfd4e

SHA256
d171701ee62bf59c2fb1fd57380d99978871e435251bacd7054cd4a585117727

SHA512
4eb8c9655633d712cff646ce8b225747cd3e00cef6059db9ca899e333b5988c1f01628bfb8f69452a2ffdfd91d0f9cc851a0d96be9f69264aa38987511421df9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ca294e3beb7c60fe1cf96afa2910afa4

SHA1
5965257b43a27a6a69281050fcc49cb1839bfd4e

SHA256
d171701ee62bf59c2fb1fd57380d99978871e435251bacd7054cd4a585117727

SHA512
4eb8c9655633d712cff646ce8b225747cd3e00cef6059db9ca899e333b5988c1f01628bfb8f69452a2ffdfd91d0f9cc851a0d96be9f69264aa38987511421df9

Download Submit
C:\Windows\System\svchost.exe
MD5
723279bc246be813fd08d107fd060021

SHA1
98c4b1ec7e0495d4eace070dadc930d567c6dec8

SHA256
aff72901c3d4231e799c8a68349197df887d059f3b875a5f08f726746069b345

SHA512
f2c583aad6402d30e7663f781c325f70135131b7d98ce0043ab30180465ca940b2dffed37bb4601d12f2c328408dd3df253ebd7791ec5fbd3b93b09f6e3245d7

Download Submit
\??\c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
MD5
81f33af36aa74b241608c2f1ae494ab9

SHA1
057a50d03af170a3137ba1a94db45dcc1898e708

SHA256
ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90

SHA512
c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f

Download Submit
\??\c:\windows\system\explorer.exe
MD5
b491d8c7ae0d7ad20a0f4885d3033aa9

SHA1
4747ac69f50dcb3736a7c08461b144d667ab4c88

SHA256
0bc00f14615b3ae9848e451500c261e4e28e87cbb96384091fc82df669853fad

SHA512
846eebbb7a44cded43538627774eda5111262b0163688465344719ff365bc3078ef01f2748ca648dd56c2d62b3ea63b9ef916e29b59d84fcf6db2fffe36b443d

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
ca294e3beb7c60fe1cf96afa2910afa4

SHA1
5965257b43a27a6a69281050fcc49cb1839bfd4e

SHA256
d171701ee62bf59c2fb1fd57380d99978871e435251bacd7054cd4a585117727

SHA512
4eb8c9655633d712cff646ce8b225747cd3e00cef6059db9ca899e333b5988c1f01628bfb8f69452a2ffdfd91d0f9cc851a0d96be9f69264aa38987511421df9

Download Submit
\??\c:\windows\system\svchost.exe
MD5
723279bc246be813fd08d107fd060021

SHA1
98c4b1ec7e0495d4eace070dadc930d567c6dec8

SHA256
aff72901c3d4231e799c8a68349197df887d059f3b875a5f08f726746069b345

SHA512
f2c583aad6402d30e7663f781c325f70135131b7d98ce0043ab30180465ca940b2dffed37bb4601d12f2c328408dd3df253ebd7791ec5fbd3b93b09f6e3245d7

Download Submit
memory/2100-128-0x0000000000000000-mapping.dmp

Download
memory/2288-154-0x0000000000000000-mapping.dmp

Download
memory/2308-140-0x0000000000000000-mapping.dmp

Download
memory/2640-155-0x0000000000000000-mapping.dmp

Download
memory/2656-146-0x0000000000000000-mapping.dmp

Download
memory/2988-122-0x0000000000000000-mapping.dmp

Download
memory/3568-117-0x0000000000000000-mapping.dmp

Download
memory/3568-153-0x0000000002910000-0x000000000291F000-memory.dmp

Filesize
60KB

Download
memory/3924-151-0x0000000000000000-mapping.dmp

Download
memory/4032-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads