guloader | 7c54b7d54c409f3eee45a1ed7e7eee5da5c0577c2fcf974defa989d75a9ef9aa

General

Target

VAN DE WERT - po240975_jpg.exe
Size

445KB
MD5

e5fdfc2e819712600c1cf79d4f274022
SHA1

bc947ca0dc25f1ba54ccbe5a14d84f53f22feb9d
SHA256

7c54b7d54c409f3eee45a1ed7e7eee5da5c0577c2fcf974defa989d75a9ef9aa
SHA512

aec8f7481909206169cc7f51b6fb7747e214f237db71ba7ec523a495256179412a17eab91346e9d04b6c622743a4b7693b5bc64a6c3e0ece9f9b4b63c47ddf21
SSDEEP

12288:SzgOyj6Yd/6W48bLL+NVkOb/wZKpYgIgfC:jOyvd/zLLAVkObosW

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VAN DE WERT - po240975_jpg.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	VAN DE WERT - po240975_jpg.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Loads dropped DLL 1 IoCs

Processes:

VAN DE WERT - po240975_jpg.exe

pid process

1456 VAN DE WERT - po240975_jpg.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

VAN DE WERT - po240975_jpg.execaspol.exe

pid process

1456 VAN DE WERT - po240975_jpg.exe
760 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

VAN DE WERT - po240975_jpg.exe

description pid process target process

PID 1456 set thread context of 760 1456 VAN DE WERT - po240975_jpg.exe caspol.exe
Drops file in Program Files directory 1 IoCs

Processes:

VAN DE WERT - po240975_jpg.exe

description ioc process

File opened for modification C:\Program Files (x86)\Common Files\Bidtes\Euphemise.Tvi VAN DE WERT - po240975_jpg.exe
Drops file in Windows directory 1 IoCs

Processes:

VAN DE WERT - po240975_jpg.exe

description ioc process

File opened for modification C:\Windows\Albueskaden76.Cha VAN DE WERT - po240975_jpg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

VAN DE WERT - po240975_jpg.exe

pid process

1456 VAN DE WERT - po240975_jpg.exe

pid	process
1456	VAN DE WERT - po240975_jpg.exe

pid	process
1456	VAN DE WERT - po240975_jpg.exe
760	caspol.exe

description	pid	process	target process
PID 1456 set thread context of 760	1456	VAN DE WERT - po240975_jpg.exe	caspol.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Bidtes\Euphemise.Tvi	VAN DE WERT - po240975_jpg.exe

description	ioc	process
File opened for modification	C:\Windows\Albueskaden76.Cha	VAN DE WERT - po240975_jpg.exe

pid	process
1456	VAN DE WERT - po240975_jpg.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

VAN DE WERT - po240975_jpg.exe

description	pid	process	target process
PID 1456 wrote to memory of 760	1456	VAN DE WERT - po240975_jpg.exe	caspol.exe
PID 1456 wrote to memory of 760	1456	VAN DE WERT - po240975_jpg.exe	caspol.exe
PID 1456 wrote to memory of 760	1456	VAN DE WERT - po240975_jpg.exe	caspol.exe
PID 1456 wrote to memory of 760	1456	VAN DE WERT - po240975_jpg.exe	caspol.exe
PID 1456 wrote to memory of 760	1456	VAN DE WERT - po240975_jpg.exe	caspol.exe

C:\Users\Admin\AppData\Local\Temp\VAN DE WERT - po240975_jpg.exe
"C:\Users\Admin\AppData\Local\Temp\VAN DE WERT - po240975_jpg.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\VAN DE WERT - po240975_jpg.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst391D.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/760-68-0x00000000778C0000-0x0000000077A69000-memory.dmp

Filesize
1.7MB

Download
memory/760-61-0x00000000009B8A9E-mapping.dmp

Download
memory/760-72-0x0000000077AA0000-0x0000000077C20000-memory.dmp

Filesize
1.5MB

Download
memory/760-70-0x0000000077AA0000-0x0000000077C20000-memory.dmp

Filesize
1.5MB

Download
memory/760-64-0x0000000000080000-0x0000000000180000-memory.dmp

Filesize
1024KB

Download
memory/760-67-0x0000000000080000-0x0000000000180000-memory.dmp

Filesize
1024KB

Download
memory/1456-65-0x0000000077AA0000-0x0000000077C20000-memory.dmp

Filesize
1.5MB

Download
memory/1456-63-0x0000000077AA0000-0x0000000077C20000-memory.dmp

Filesize
1.5MB

Download
memory/1456-56-0x0000000003740000-0x0000000003841000-memory.dmp

Filesize
1.0MB

Download
memory/1456-66-0x0000000077AA0000-0x0000000077C20000-memory.dmp

Filesize
1.5MB

Download
memory/1456-62-0x0000000077AA0000-0x0000000077C20000-memory.dmp

Filesize
1.5MB

Download
memory/1456-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1456-58-0x00000000778C0000-0x0000000077A69000-memory.dmp

Filesize
1.7MB

Download
memory/1456-57-0x0000000003740000-0x0000000003841000-memory.dmp

Filesize
1.0MB

Download
memory/1456-73-0x0000000003740000-0x0000000003841000-memory.dmp

Filesize
1.0MB

Download
memory/1456-74-0x0000000077AA0000-0x0000000077C20000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing