guloader | 65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c

General

Target

LIST OF ITEMS 2021 project.xlsx
Size

590KB
MD5

4a1d13469a6c817242e8b567bf34ab9a
SHA1

a0d54f6c1205defad5f31cadf3393880e7c4c862
SHA256

65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c
SHA512

a89649b90fe5900f3a014d84cee247df5ee514066bc2b58b968eea203d5290db6964aa5e6f5169cd4830121b0044c620c55db1089bb6c73c1af18f7a82729bf8

Score

10^/10

guloader downloader suricata

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 668 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1220 vbc.exe
Checks QEMU agent file 2 TTPs 1 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vbc.exe

description ioc process

File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe vbc.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEvbc.exe

pid process

668 EQNEDT32.EXE
668 EQNEDT32.EXE
1528 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

vbc.exe

pid process

1220 vbc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1220 set thread context of 1528 1220 vbc.exe vbc.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

668 EQNEDT32.EXE

flow	pid	process
6	668	EQNEDT32.EXE

pid	process
1220	vbc.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	vbc.exe

pid	process
668	EQNEDT32.EXE
668	EQNEDT32.EXE
1528	vbc.exe

pid	process
1220	vbc.exe

description	pid	process	target process
PID 1220 set thread context of 1528	1220	vbc.exe	vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
668	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1840 EXCEL.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vbc.exe

pid process

1220 vbc.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXEvbc.exe

pid process

1840 EXCEL.EXE
1840 EXCEL.EXE
1840 EXCEL.EXE
1220 vbc.exe
1840 EXCEL.EXE
1840 EXCEL.EXE

pid	process
1840	EXCEL.EXE

pid	process
1220	vbc.exe

pid	process
1840	EXCEL.EXE
1840	EXCEL.EXE
1840	EXCEL.EXE
1220	vbc.exe
1840	EXCEL.EXE
1840	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 668 wrote to memory of 1220	668	EQNEDT32.EXE	vbc.exe
PID 668 wrote to memory of 1220	668	EQNEDT32.EXE	vbc.exe
PID 668 wrote to memory of 1220	668	EQNEDT32.EXE	vbc.exe
PID 668 wrote to memory of 1220	668	EQNEDT32.EXE	vbc.exe
PID 1220 wrote to memory of 1528	1220	vbc.exe	vbc.exe
PID 1220 wrote to memory of 1528	1220	vbc.exe	vbc.exe
PID 1220 wrote to memory of 1528	1220	vbc.exe	vbc.exe
PID 1220 wrote to memory of 1528	1220	vbc.exe	vbc.exe
PID 1220 wrote to memory of 1528	1220	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\LIST OF ITEMS 2021 project.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Loads dropped DLL
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
451e4cd68c69c2c8b8fc93ad02e8754a

SHA1
b87d041383fa59a21bff9666756efa2784282199

SHA256
e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b

SHA512
fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911

Download Submit
C:\Users\Public\vbc.exe
MD5
451e4cd68c69c2c8b8fc93ad02e8754a

SHA1
b87d041383fa59a21bff9666756efa2784282199

SHA256
e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b

SHA512
fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911

Download Submit
C:\Users\Public\vbc.exe
MD5
451e4cd68c69c2c8b8fc93ad02e8754a

SHA1
b87d041383fa59a21bff9666756efa2784282199

SHA256
e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b

SHA512
fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911

Download Submit
\Users\Public\vbc.exe
MD5
451e4cd68c69c2c8b8fc93ad02e8754a

SHA1
b87d041383fa59a21bff9666756efa2784282199

SHA256
e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b

SHA512
fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911

Download Submit
\Users\Public\vbc.exe
MD5
451e4cd68c69c2c8b8fc93ad02e8754a

SHA1
b87d041383fa59a21bff9666756efa2784282199

SHA256
e406c6674e19f2f3368e26ad4e6d672b190ea5df8cb1b5e95c9e22fb8c80738b

SHA512
fe42a6afbd37ec5d20ec0c22153489ee0ca4a636fe8312dbf9554bebe7c6d3d0e9ad602c3a746304f150561650fb2a887cfc10b3ad727a2fab0a72a5a9d11911

Download Submit
memory/668-63-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1220-66-0x0000000000000000-mapping.dmp

Download
memory/1220-80-0x00000000777B0000-0x0000000077959000-memory.dmp

Filesize
1.7MB

Download
memory/1220-70-0x0000000000370000-0x000000000037F000-memory.dmp

Filesize
60KB

Download
memory/1220-82-0x00000000779A0000-0x0000000077A76000-memory.dmp

Filesize
856KB

Download
memory/1220-81-0x0000000077990000-0x0000000077B10000-memory.dmp

Filesize
1.5MB

Download
memory/1528-77-0x00000000004017AC-mapping.dmp

Download
memory/1528-79-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1528-83-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/1840-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1840-60-0x000000002F0A1000-0x000000002F0A4000-memory.dmp

Filesize
12KB

Download
memory/1840-61-0x0000000071831000-0x0000000071833000-memory.dmp

Filesize
8KB

Download
memory/1840-71-0x0000000005F50000-0x0000000006B9A000-memory.dmp

Filesize
12.3MB

Download
memory/1840-73-0x0000000005F50000-0x0000000006B9A000-memory.dmp

Filesize
12.3MB

Download
memory/1840-72-0x0000000005F50000-0x0000000006B9A000-memory.dmp

Filesize
12.3MB

Download
memory/1840-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing