guloader | 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923

General

Target

29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
Size

52KB
MD5

61ce777555ee4d591ff151e0927ab8d4
SHA1

3c5a6a8825101a71d2372f5c6961861ef1b4223f
SHA256

29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
SHA512

3783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628

Score

10^/10

guloader downloader persistence

Malware Config

Extracted

Family

guloader

C2

https://share.dmca.gripe/hUZTLm0ETh86oDEL.bin

xor.base64

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Executes dropped EXE 1 IoCs

Processes:

filename1.exe

pid process

1644 filename1.exe

pid	process
1644	filename1.exe

Loads dropped DLL 3 IoCs

Processes:

29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exe

pid	process
584	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
584	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
1208	filename1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\subfolder1\\filename1.vbs"	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	filename1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\subfolder1\\filename1.vbs"	filename1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exefilename1.exe

pid	process
1940	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
584	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
1644	filename1.exe
1208	filename1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exe

description	pid	process	target process
PID 1940 set thread context of 584	1940	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
PID 1644 set thread context of 1208	1644	filename1.exe	filename1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exe

pid process

1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
1644 filename1.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exe

pid process

1940 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
1644 filename1.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exefilename1.exe

description	pid	process	target process
PID 1940 wrote to memory of 584	1940	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
PID 1940 wrote to memory of 584	1940	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
PID 1940 wrote to memory of 584	1940	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
PID 1940 wrote to memory of 584	1940	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
PID 1940 wrote to memory of 584	1940	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
PID 584 wrote to memory of 1644	584	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	filename1.exe
PID 584 wrote to memory of 1644	584	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	filename1.exe
PID 584 wrote to memory of 1644	584	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	filename1.exe
PID 584 wrote to memory of 1644	584	29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe	filename1.exe
PID 1644 wrote to memory of 1208	1644	filename1.exe	filename1.exe
PID 1644 wrote to memory of 1208	1644	filename1.exe	filename1.exe
PID 1644 wrote to memory of 1208	1644	filename1.exe	filename1.exe
PID 1644 wrote to memory of 1208	1644	filename1.exe	filename1.exe
PID 1644 wrote to memory of 1208	1644	filename1.exe	filename1.exe

C:\Users\Admin\AppData\Local\Temp\29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
"C:\Users\Admin\AppData\Local\Temp\29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe
"C:\Users\Admin\AppData\Local\Temp\29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\subfolder1\filename1.exe
"C:\Users\Admin\subfolder1\filename1.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\subfolder1\filename1.exe
"C:\Users\Admin\subfolder1\filename1.exe"
4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\subfolder1\filename1.exe
MD5
61ce777555ee4d591ff151e0927ab8d4

SHA1
3c5a6a8825101a71d2372f5c6961861ef1b4223f

SHA256
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923

SHA512
3783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628

Download Submit
C:\Users\Admin\subfolder1\filename1.exe
MD5
61ce777555ee4d591ff151e0927ab8d4

SHA1
3c5a6a8825101a71d2372f5c6961861ef1b4223f

SHA256
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923

SHA512
3783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628

Download Submit
C:\Users\Admin\subfolder1\filename1.exe
MD5
61ce777555ee4d591ff151e0927ab8d4

SHA1
3c5a6a8825101a71d2372f5c6961861ef1b4223f

SHA256
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923

SHA512
3783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628

Download Submit
\Users\Admin\subfolder1\filename1.exe
MD5
61ce777555ee4d591ff151e0927ab8d4

SHA1
3c5a6a8825101a71d2372f5c6961861ef1b4223f

SHA256
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923

SHA512
3783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628

Download Submit
\Users\Admin\subfolder1\filename1.exe
MD5
61ce777555ee4d591ff151e0927ab8d4

SHA1
3c5a6a8825101a71d2372f5c6961861ef1b4223f

SHA256
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923

SHA512
3783ae2713492347fa627e51f3def9ec0502ed5c4d0f7e5c0932f80fa93e6a951ceb5708bd6347c031e081b1f7017bf86597db34fb6655f2f748439c825bd628

Download Submit
memory/584-59-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/584-66-0x00000000001B0000-0x0000000000400000-memory.dmp

Filesize
2.3MB

Download
memory/584-67-0x00000000773F0000-0x0000000077599000-memory.dmp

Filesize
1.7MB

Download
memory/584-68-0x00000000775D0000-0x0000000077750000-memory.dmp

Filesize
1.5MB

Download
memory/1208-87-0x00000000775D0000-0x0000000077750000-memory.dmp

Filesize
1.5MB

Download
memory/1208-86-0x00000000773F0000-0x0000000077599000-memory.dmp

Filesize
1.7MB

Download
memory/1208-85-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/1644-78-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/1644-80-0x00000000773F0000-0x0000000077599000-memory.dmp

Filesize
1.7MB

Download
memory/1644-82-0x00000000775D0000-0x0000000077750000-memory.dmp

Filesize
1.5MB

Download
memory/1940-57-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download
memory/1940-63-0x00000000775D0000-0x0000000077750000-memory.dmp

Filesize
1.5MB

Download
memory/1940-60-0x00000000773F0000-0x0000000077599000-memory.dmp

Filesize
1.7MB

Download
memory/1940-58-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads