guloader | 32ea41ff050f09d0b92967588a131e0a170cb46baf7ee58d03277d09336f89d9

General

Target

ODEME BILGILENDIRME 000284857577688 01162023.exe
Size

258KB
MD5

ef194272556559c7d4da6515efaaa09d
SHA1

713343ddc7b859c93dc58559aee00f62f2c48c97
SHA256

32ea41ff050f09d0b92967588a131e0a170cb46baf7ee58d03277d09336f89d9
SHA512

d488eef517aea854d6f9bb5c6de69ed4a573377c5279ce051cafe8ec3511a453101cf162925297a14f99d754e749a2129ee767e8620cca062e226cc165ecb5bc
SSDEEP

6144:haCoWj2mYBtHF3rvcZjvqM4SkF/92SRD3xRKBfe6:haCcBFRcZjy0kF/92SRBkI6

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

caspol.exeODEME BILGILENDIRME 000284857577688 01162023.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ODEME BILGILENDIRME 000284857577688 01162023.exe

Loads dropped DLL 1 IoCs

Processes:

ODEME BILGILENDIRME 000284857577688 01162023.exe

pid process

940 ODEME BILGILENDIRME 000284857577688 01162023.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

ODEME BILGILENDIRME 000284857577688 01162023.execaspol.exe

pid process

940 ODEME BILGILENDIRME 000284857577688 01162023.exe
1176 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ODEME BILGILENDIRME 000284857577688 01162023.exe

description pid process target process

PID 940 set thread context of 1176 940 ODEME BILGILENDIRME 000284857577688 01162023.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ODEME BILGILENDIRME 000284857577688 01162023.exe

pid process

940 ODEME BILGILENDIRME 000284857577688 01162023.exe
940 ODEME BILGILENDIRME 000284857577688 01162023.exe

pid	process
940	ODEME BILGILENDIRME 000284857577688 01162023.exe

pid	process
940	ODEME BILGILENDIRME 000284857577688 01162023.exe
1176	caspol.exe

description	pid	process	target process
PID 940 set thread context of 1176	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe

pid	process
940	ODEME BILGILENDIRME 000284857577688 01162023.exe
940	ODEME BILGILENDIRME 000284857577688 01162023.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ODEME BILGILENDIRME 000284857577688 01162023.exe

description	pid	process	target process
PID 940 wrote to memory of 568	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe
PID 940 wrote to memory of 568	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe
PID 940 wrote to memory of 568	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe
PID 940 wrote to memory of 568	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe
PID 940 wrote to memory of 1176	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe
PID 940 wrote to memory of 1176	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe
PID 940 wrote to memory of 1176	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe
PID 940 wrote to memory of 1176	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe
PID 940 wrote to memory of 1176	940	ODEME BILGILENDIRME 000284857577688 01162023.exe	caspol.exe

C:\Users\Admin\AppData\Local\Temp\ODEME BILGILENDIRME 000284857577688 01162023.exe
"C:\Users\Admin\AppData\Local\Temp\ODEME BILGILENDIRME 000284857577688 01162023.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\ODEME BILGILENDIRME 000284857577688 01162023.exe"
2⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\ODEME BILGILENDIRME 000284857577688 01162023.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsjC63E.tmp\System.dll
Filesize
11KB

MD5
be2621a78a13a56cf09e00dd98488360

SHA1
75f0539dc6af200a07cdb056cddddec595c6cfd2

SHA256
852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5

SHA512
b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1

Download Submit
memory/940-69-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/940-56-0x0000000002790000-0x00000000033DA000-memory.dmp

Filesize
12.3MB

Download
memory/940-58-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/940-59-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/940-61-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/940-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/940-64-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/940-71-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1176-63-0x0000000000ED8A9E-mapping.dmp

Download
memory/1176-68-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/1176-70-0x0000000000EE0000-0x000000000374B000-memory.dmp

Filesize
40.4MB

Download
memory/1176-65-0x0000000000EE0000-0x000000000374B000-memory.dmp

Filesize
40.4MB

Download

Analysis

Sharing