guloader | ce3884be774641ca941308377c3ffd5ed1ed96ba0d9257106f85e4445bfb10ba

General

Target

Trice Chemical February-PO#67388pdf.exe
Size

396KB
MD5

99f18e1392de2176e675ed6a03bfc9d7
SHA1

ddc161c761aff3f7e9c66dfbf7e10a7c0fd83ea5
SHA256

ce3884be774641ca941308377c3ffd5ed1ed96ba0d9257106f85e4445bfb10ba
SHA512

70c89c2f66036dcf37be600fc381eac24c41afa616ad88d0b73aa8c02ba0b63e273533b60018e5fddee1444c8c02c3a16f18811ce9d9875a29606de61785dc62
SSDEEP

12288:92fISNErVIouVe6HMtjEjE8VapPUsgI/2B:92f9NQVIoV4CxiapPUsz/S

Score

10^/10

guloader collection discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1968-78-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1968-80-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1440-87-0x0000000000F70000-0x0000000000FA5000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1616-77-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1052-76-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1616-77-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1968-78-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1968-80-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1440-87-0x0000000000F70000-0x0000000000FA5000-memory.dmp	Nirsoft

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Trice Chemical February-PO#67388pdf.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Trice Chemical February-PO#67388pdf.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Loads dropped DLL 1 IoCs

Processes:

Trice Chemical February-PO#67388pdf.exe

pid process

1988 Trice Chemical February-PO#67388pdf.exe

pid	process
1988	Trice Chemical February-PO#67388pdf.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

ieinstal.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ieinstal.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ieinstal.exe

pid process

1440 ieinstal.exe
1440 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Trice Chemical February-PO#67388pdf.exeieinstal.exe

pid process

1988 Trice Chemical February-PO#67388pdf.exe
1440 ieinstal.exe

pid	process
1440	ieinstal.exe
1440	ieinstal.exe

pid	process
1988	Trice Chemical February-PO#67388pdf.exe
1440	ieinstal.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Trice Chemical February-PO#67388pdf.exeieinstal.exe

description	pid	process	target process
PID 1988 set thread context of 1440	1988	Trice Chemical February-PO#67388pdf.exe	ieinstal.exe
PID 1440 set thread context of 1616	1440	ieinstal.exe	ieinstal.exe
PID 1440 set thread context of 1968	1440	ieinstal.exe	ieinstal.exe
PID 1440 set thread context of 1052	1440	ieinstal.exe	ieinstal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ieinstal.exe

pid process

1616 ieinstal.exe
1616 ieinstal.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

Trice Chemical February-PO#67388pdf.exeieinstal.exe

pid process

1988 Trice Chemical February-PO#67388pdf.exe
1440 ieinstal.exe
1440 ieinstal.exe
1440 ieinstal.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ieinstal.exe

description pid process

Token: SeDebugPrivilege 1052 ieinstal.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ieinstal.exe

pid process

1440 ieinstal.exe

pid	process
1616	ieinstal.exe
1616	ieinstal.exe

pid	process
1988	Trice Chemical February-PO#67388pdf.exe
1440	ieinstal.exe
1440	ieinstal.exe
1440	ieinstal.exe

description	pid	process
Token: SeDebugPrivilege	1052	ieinstal.exe

pid	process
1440	ieinstal.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Trice Chemical February-PO#67388pdf.exeieinstal.exe

description	pid	process	target process
PID 1988 wrote to memory of 1440	1988	Trice Chemical February-PO#67388pdf.exe	ieinstal.exe
PID 1988 wrote to memory of 1440	1988	Trice Chemical February-PO#67388pdf.exe	ieinstal.exe
PID 1988 wrote to memory of 1440	1988	Trice Chemical February-PO#67388pdf.exe	ieinstal.exe
PID 1988 wrote to memory of 1440	1988	Trice Chemical February-PO#67388pdf.exe	ieinstal.exe
PID 1988 wrote to memory of 1440	1988	Trice Chemical February-PO#67388pdf.exe	ieinstal.exe
PID 1988 wrote to memory of 1440	1988	Trice Chemical February-PO#67388pdf.exe	ieinstal.exe
PID 1988 wrote to memory of 1440	1988	Trice Chemical February-PO#67388pdf.exe	ieinstal.exe
PID 1988 wrote to memory of 1440	1988	Trice Chemical February-PO#67388pdf.exe	ieinstal.exe
PID 1440 wrote to memory of 1616	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1616	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1616	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1616	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1616	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1616	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1616	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1616	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1968	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1968	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1968	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1968	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1968	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1968	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1968	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1968	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1052	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1052	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1052	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1052	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1052	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1052	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1052	1440	ieinstal.exe	ieinstal.exe
PID 1440 wrote to memory of 1052	1440	ieinstal.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\Trice Chemical February-PO#67388pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Trice Chemical February-PO#67388pdf.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\Trice Chemical February-PO#67388pdf.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ntectxhjqvontjnusamgd"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qnjutqscedgsvpjyjlghghpt"
3⤵
- Accesses Microsoft Outlook accounts
PID:1968

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\appnuileslywgdxkswtbrtjkavx"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ntectxhjqvontjnusamgd
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\nso70C1.tmp\System.dll
Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
memory/1052-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1052-72-0x0000000000422206-mapping.dmp

Download
memory/1440-85-0x0000000000F70000-0x0000000000FA5000-memory.dmp

Filesize
212KB

Download
memory/1440-61-0x000000000314CABE-mapping.dmp

Download
memory/1440-84-0x0000000000F80000-0x0000000000F99000-memory.dmp

Filesize
100KB

Download
memory/1440-82-0x0000000000F80000-0x0000000000F99000-memory.dmp

Filesize
100KB

Download
memory/1440-66-0x00000000772A0000-0x0000000077449000-memory.dmp

Filesize
1.7MB

Download
memory/1440-60-0x00000000012E0000-0x0000000003C4D000-memory.dmp

Filesize
41.4MB

Download
memory/1440-68-0x00000000012E0000-0x0000000003C4D000-memory.dmp

Filesize
41.4MB

Download
memory/1440-87-0x0000000000F70000-0x0000000000FA5000-memory.dmp

Filesize
212KB

Download
memory/1616-77-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1616-70-0x0000000000476274-mapping.dmp

Download
memory/1968-71-0x0000000000455238-mapping.dmp

Download
memory/1968-78-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1968-80-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1988-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1988-69-0x0000000077480000-0x0000000077600000-memory.dmp

Filesize
1.5MB

Download
memory/1988-67-0x0000000077480000-0x0000000077600000-memory.dmp

Filesize
1.5MB

Download
memory/1988-63-0x0000000077480000-0x0000000077600000-memory.dmp

Filesize
1.5MB

Download
memory/1988-62-0x0000000077480000-0x0000000077600000-memory.dmp

Filesize
1.5MB

Download
memory/1988-57-0x00000000772A0000-0x0000000077449000-memory.dmp

Filesize
1.7MB

Download
memory/1988-56-0x00000000036E0000-0x000000000383C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads