Overview

overview

10

Static

static

1c27f57ddb...be.exe

windows7_x64

10

1c27f57ddb...be.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe

  • Size

    80KB

  • MD5

    950483bcaff55045d695761e386cb514

  • SHA1

    9a4cf1caf2bd6082883c24f6e4d6b98fffed71f0

  • SHA256

    1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe

  • SHA512

    90f8aed09c42fad97194bd1c4b787af72cae287e35516635ff4cfb92072340dd970d3e67182d8d5ab8662d6aa2b2cfc4b756aa17f04ba79b477c72ab56026900

Score
10/10
guloaderdownloaderguloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1UnZE1_XDcad5DW8fsVFD8K1ZYDla2tyn

xor.base64

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Guloader Payload 2 IoCs
    guloader
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe
    "C:\Users\Admin\AppData\Local\Temp\1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\1c27f57ddb7c5ccbf08702936e1c53d064e6eb2083ed5fd95b210443a6d7ecbe.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/868-65-0x00000000002F0000-0x00000000003F0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/868-66-0x0000000076D30000-0x0000000076ED9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/868-67-0x0000000076F10000-0x0000000077090000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1572-58-0x0000000075AB1000-0x0000000075AB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1572-59-0x0000000000240000-0x000000000024A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1572-60-0x0000000076D30000-0x0000000076ED9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1572-61-0x0000000076F10000-0x0000000077090000-memory.dmp
    Filesize

    1.5MB

    Download