guloader | e91bfe70067328c9a591c2d5af2edd9c35b8266b6478f9b66332080df1de5c8e

Resubmissions

11-10-2022 21:50

221011-1qah4agacq 10

11-10-2022 19:59

11-10-2022 19:33

11-10-2022 19:30

11-10-2022 17:12

11-10-2022 17:06

Analysis

max time kernel
162s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quote.exe
Size

310KB
MD5

bd8e7774e8a6ecb128344f67a186de29
SHA1

bb8f6320dbbe179952aefed8ad37678a97385c8c
SHA256

4d98cc89b7f976334ec2df4964679ae40ce2efa5e0ea93e44a88cd832e122daf
SHA512

28663d4fc87dc2c4c529b3ea8a27fc8f2c38bf34600ae1ff594da428fbb140cb2dab31ec219a75ed3814b74f0a7c64d03d48fc5aee451a2faf1dfcb27dba1069
SSDEEP

6144:xB+pqUQLU87hsR0qW6IqiQ928gJzoQRT0uAg67asMexycpMFX59F7MfZUSi2XxKL:xgKL2i0uAxasM2W55D4f+xOVn4uoF

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
5080	quote.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\resources\0409\telefoncomputerens\Freespace\Tnkest.lnk	quote.exe
File opened for modification	C:\Windows\resources\0409\Metage\Jansi\Koensfordeling.Kat	quote.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\quote.exe
"C:\Users\Admin\AppData\Local\Temp\quote.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl618B.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
memory/5080-133-0x00000000049C0000-0x0000000004AC1000-memory.dmp

Filesize
1.0MB

Download
memory/5080-134-0x00000000049C0000-0x0000000004AC1000-memory.dmp

Filesize
1.0MB

Download