guloader | d11342ce9c7550e129e455126cb6373145ea86ae5ee777a652205541ef4cec2c

General

Target

4aeb49bf7e23aab664de914df204664f.exe
Size

120KB
MD5

4aeb49bf7e23aab664de914df204664f
SHA1

a9a80ec2e9ea803aa8db80aac266826304916dbf
SHA256

d11342ce9c7550e129e455126cb6373145ea86ae5ee777a652205541ef4cec2c
SHA512

494bb1b3b713ca9592568dc58b27696f64b727dbdcd03f646f3a57235ffbe5a6ffde659bcef7fa13b7ebd854fd67ba8dd5fb0e23c1bcbf2d661896ebc23bf57e

Score

10^/10

guloader neshta downloader persistence spyware

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

4aeb49bf7e23aab664de914df204664f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4aeb49bf7e23aab664de914df204664f.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

4aeb49bf7e23aab664de914df204664f.exe

pid process

2524 4aeb49bf7e23aab664de914df204664f.exe
Drops file in Windows directory 1 IoCs

Processes:

4aeb49bf7e23aab664de914df204664f.exe

description ioc process

File opened for modification C:\Windows\svchost.com 4aeb49bf7e23aab664de914df204664f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2524	4aeb49bf7e23aab664de914df204664f.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	4aeb49bf7e23aab664de914df204664f.exe

Modifies registry class 1 IoCs

Processes:

4aeb49bf7e23aab664de914df204664f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4aeb49bf7e23aab664de914df204664f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4aeb49bf7e23aab664de914df204664f.exe

pid process

2524 4aeb49bf7e23aab664de914df204664f.exe

pid	process
2524	4aeb49bf7e23aab664de914df204664f.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4aeb49bf7e23aab664de914df204664f.exe

description	pid	process	target process
PID 2168 wrote to memory of 2524	2168	4aeb49bf7e23aab664de914df204664f.exe	4aeb49bf7e23aab664de914df204664f.exe
PID 2168 wrote to memory of 2524	2168	4aeb49bf7e23aab664de914df204664f.exe	4aeb49bf7e23aab664de914df204664f.exe
PID 2168 wrote to memory of 2524	2168	4aeb49bf7e23aab664de914df204664f.exe	4aeb49bf7e23aab664de914df204664f.exe

C:\Users\Admin\AppData\Local\Temp\4aeb49bf7e23aab664de914df204664f.exe
"C:\Users\Admin\AppData\Local\Temp\4aeb49bf7e23aab664de914df204664f.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\3582-490\4aeb49bf7e23aab664de914df204664f.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\4aeb49bf7e23aab664de914df204664f.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\4aeb49bf7e23aab664de914df204664f.exe
MD5
c666c22685d135c1efe709cbedd0eb6b

SHA1
0da7aed60d8a194da98c44cd5ad76efc57e00dff

SHA256
a393c2aa773ef090f5e907c90c5cf90d67c2b6db2a2ffedac0b75c748f3a7b45

SHA512
6430a0ec3002777df9357463eb3f1c279b5e4b1778bc8ff77140c947d484e8d5d17dd268c3744008d0cb52fcd58232489c2a8335e816462b1d35f11949f8fea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4aeb49bf7e23aab664de914df204664f.exe
MD5
c666c22685d135c1efe709cbedd0eb6b

SHA1
0da7aed60d8a194da98c44cd5ad76efc57e00dff

SHA256
a393c2aa773ef090f5e907c90c5cf90d67c2b6db2a2ffedac0b75c748f3a7b45

SHA512
6430a0ec3002777df9357463eb3f1c279b5e4b1778bc8ff77140c947d484e8d5d17dd268c3744008d0cb52fcd58232489c2a8335e816462b1d35f11949f8fea8

Download Submit
memory/2524-115-0x0000000000000000-mapping.dmp

Download
memory/2524-120-0x00000000029E0000-0x00000000029EF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads