guloader | 2e6a8bb2fcfef5cdc29aa03bfe22b01ebe7b3f71e09ad302dec93d672d1c3141

General

Target

a74960472ab338a421fb56948e742f2b.exe
Size

619KB
MD5

a74960472ab338a421fb56948e742f2b
SHA1

c39bd553f3a1b8147f98056f8ea81bb6d6099b1e
SHA256

2e6a8bb2fcfef5cdc29aa03bfe22b01ebe7b3f71e09ad302dec93d672d1c3141
SHA512

7cbbc8d2ba0202370a82bbd2f24a7123a364e41a89c6f1f5472f702c91cac9f976ea1189c32462f97e5bff8c46978c691df9260945eeefb5054b09b65289da9d
SSDEEP

12288:b7EWNDJccwIWYh7jQ4+ngZnz/B4WW3nVVP7ntr9+E78MNv1z2qcNjRtBnMAr8+:MUlyYtjQ4UWz/B4vT7CE78YvjsNfC+

Score

10^/10

guloader discovery downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a74960472ab338a421fb56948e742f2b.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	a74960472ab338a421fb56948e742f2b.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Loads dropped DLL 1 IoCs

Processes:

a74960472ab338a421fb56948e742f2b.exe

pid process

4216 a74960472ab338a421fb56948e742f2b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ieinstal.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Unnominated25 = "C:\\Users\\Admin\\AppData\\Roaming\\Cpa\\Alpargata.exe"	ieinstal.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ieinstal.exe

pid process

212 ieinstal.exe
212 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

a74960472ab338a421fb56948e742f2b.exeieinstal.exe

pid process

4216 a74960472ab338a421fb56948e742f2b.exe
212 ieinstal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

a74960472ab338a421fb56948e742f2b.exe

description pid process target process

PID 4216 set thread context of 212 4216 a74960472ab338a421fb56948e742f2b.exe ieinstal.exe
Drops file in Program Files directory 1 IoCs

Processes:

ieinstal.exe

description ioc process

File opened for modification C:\Program Files (x86)\internet explorer\ieinstal.exe ieinstal.exe
Drops file in Windows directory 1 IoCs

Processes:

a74960472ab338a421fb56948e742f2b.exe

description ioc process

File opened for modification C:\Windows\resources\0409\Vre\Prstekrave\Uskadeliggjort.Pun a74960472ab338a421fb56948e742f2b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

ieinstal.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings ieinstal.exe

pid	process
212	ieinstal.exe
212	ieinstal.exe

description	pid	process	target process
PID 4216 set thread context of 212	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\internet explorer\ieinstal.exe	ieinstal.exe

description	ioc	process
File opened for modification	C:\Windows\resources\0409\Vre\Prstekrave\Uskadeliggjort.Pun	a74960472ab338a421fb56948e742f2b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	ieinstal.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

a74960472ab338a421fb56948e742f2b.exe

pid	process
4216	a74960472ab338a421fb56948e742f2b.exe
4216	a74960472ab338a421fb56948e742f2b.exe
4216	a74960472ab338a421fb56948e742f2b.exe
4216	a74960472ab338a421fb56948e742f2b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ieinstal.exe

pid process

212 ieinstal.exe

pid	process
212	ieinstal.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a74960472ab338a421fb56948e742f2b.exeieinstal.exe

description	pid	process	target process
PID 4216 wrote to memory of 452	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 452	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 452	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 4984	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 4984	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 4984	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 4980	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 4980	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 4980	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 212	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 212	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 212	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 4216 wrote to memory of 212	4216	a74960472ab338a421fb56948e742f2b.exe	ieinstal.exe
PID 212 wrote to memory of 2340	212	ieinstal.exe	WScript.exe
PID 212 wrote to memory of 2340	212	ieinstal.exe	WScript.exe
PID 212 wrote to memory of 2340	212	ieinstal.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\a74960472ab338a421fb56948e742f2b.exe
"C:\Users\Admin\AppData\Local\Temp\a74960472ab338a421fb56948e742f2b.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4216

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\a74960472ab338a421fb56948e742f2b.exe"
2⤵
PID:452

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\a74960472ab338a421fb56948e742f2b.exe"
2⤵
PID:4984

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\a74960472ab338a421fb56948e742f2b.exe"
2⤵
PID:4980

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\a74960472ab338a421fb56948e742f2b.exe"
2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\omrmzjvodqhwqobdnunzyoauflquawuy.vbs"
3⤵
PID:2340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nss68A4.tmp\System.dll
Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\omrmzjvodqhwqobdnunzyoauflquawuy.vbs
Filesize
366B

MD5
0fe2423601d3291b0b6326e6518286a0

SHA1
09746eb739147f191068aba1552cd616eabd5e1d

SHA256
1a899121e3969c2bb894e08765a57e8a65cb9154d71c3825baa6b4f2da61d8f3

SHA512
9632acaa96bf0d7bc5f3754d15117079888fcc23591007fc7f4d5dabfdb1e9300cf96ff3ee9266fe2d29ea118623651773d1002d5a3f91270471841d5012cec6

Download Submit
memory/212-150-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/212-149-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/212-148-0x0000000000C70000-0x00000000017B1000-memory.dmp

Filesize
11.3MB

Download
memory/212-136-0x0000000000000000-mapping.dmp

Download
memory/212-138-0x0000000000C70000-0x00000000017B1000-memory.dmp

Filesize
11.3MB

Download
memory/212-139-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/212-140-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/212-141-0x0000000000C70000-0x00000000017B1000-memory.dmp

Filesize
11.3MB

Download
memory/212-142-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/212-143-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/2340-146-0x0000000000000000-mapping.dmp

Download
memory/4216-137-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/4216-135-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/4216-134-0x00000000042D0000-0x0000000004E11000-memory.dmp

Filesize
11.3MB

Download
memory/4216-133-0x00000000042D0000-0x0000000004E11000-memory.dmp

Filesize
11.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads