guloader | 2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72

Analysis

max time kernel
115s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe
Size

817KB
MD5

ca294a7cd41349c52db4336d3dd4d9a7
SHA1

b657c74a81c2c5c7729c2128bcd66da89f95afd1
SHA256

2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72
SHA512

e8a1a3e904691043ff329253f7d93a095f0cac877ff1c56776373b623e4dd47902f2c0dd39ae35150eeb180b3250e3da9bf6ee5b5e0e92530aa72d3f9716853b
SSDEEP

12288:rzHSwv6XXvvYRVb8UBrbGDKWEyxhXRHZr8PB+guORV4kb:yY6XXIRV/OKWEyBHZr8PQgNzn

Score

10^/10

guloader collection discovery downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Loads dropped DLL 1 IoCs

Processes:

2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe

pid process

2808 2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe

pid	process
2808	2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

caspol.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	caspol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\uendeligheden.exe"	caspol.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

52 ip-api.com
54 icanhazip.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

2296 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.execaspol.exe

pid process

2808 2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe
2296 caspol.exe

flow	ioc
52	ip-api.com
54	icanhazip.com

pid	process
2808	2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe
2296	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe

description	pid	process	target process
PID 2808 set thread context of 2296	2808	2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe	caspol.exe

Drops file in Windows directory 1 IoCs

Processes:

caspol.exe

description ioc process

File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1448 2296 WerFault.exe caspol.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\	caspol.exe

pid	pid_target	process	target process
1448	2296	WerFault.exe	caspol.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

caspol.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	caspol.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	caspol.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

caspol.exe

pid	process
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe
2296	caspol.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe

pid process

2808 2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

caspol.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 2296 caspol.exe
Token: SeSecurityPrivilege 5112 msiexec.exe

pid	process
2808	2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe

description	pid	process
Token: SeDebugPrivilege	2296	caspol.exe
Token: SeSecurityPrivilege	5112	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.execaspol.execmd.execmd.exe

description	pid	process	target process
PID 2808 wrote to memory of 2296	2808	2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe	caspol.exe
PID 2808 wrote to memory of 2296	2808	2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe	caspol.exe
PID 2808 wrote to memory of 2296	2808	2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe	caspol.exe
PID 2808 wrote to memory of 2296	2808	2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe	caspol.exe
PID 2296 wrote to memory of 4768	2296	caspol.exe	cmd.exe
PID 2296 wrote to memory of 4768	2296	caspol.exe	cmd.exe
PID 2296 wrote to memory of 4768	2296	caspol.exe	cmd.exe
PID 4768 wrote to memory of 2352	4768	cmd.exe	chcp.com
PID 4768 wrote to memory of 2352	4768	cmd.exe	chcp.com
PID 4768 wrote to memory of 2352	4768	cmd.exe	chcp.com
PID 4768 wrote to memory of 4164	4768	cmd.exe	netsh.exe
PID 4768 wrote to memory of 4164	4768	cmd.exe	netsh.exe
PID 4768 wrote to memory of 4164	4768	cmd.exe	netsh.exe
PID 4768 wrote to memory of 1496	4768	cmd.exe	findstr.exe
PID 4768 wrote to memory of 1496	4768	cmd.exe	findstr.exe
PID 4768 wrote to memory of 1496	4768	cmd.exe	findstr.exe
PID 2296 wrote to memory of 4008	2296	caspol.exe	cmd.exe
PID 2296 wrote to memory of 4008	2296	caspol.exe	cmd.exe
PID 2296 wrote to memory of 4008	2296	caspol.exe	cmd.exe
PID 4008 wrote to memory of 3548	4008	cmd.exe	chcp.com
PID 4008 wrote to memory of 3548	4008	cmd.exe	chcp.com
PID 4008 wrote to memory of 3548	4008	cmd.exe	chcp.com
PID 4008 wrote to memory of 4168	4008	cmd.exe	netsh.exe
PID 4008 wrote to memory of 4168	4008	cmd.exe	netsh.exe
PID 4008 wrote to memory of 4168	4008	cmd.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Users\Admin\AppData\Local\Temp\2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe
"C:\Users\Admin\AppData\Local\Temp\2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\2af4e6b031c848337c9ecc26b07d888d6a37964137125cad1475fc646adcee72.exe"
  2⤵
  - Checks QEMU agent file
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4164
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3548
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:4168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 3616
    3⤵
    - Program crash
    PID:1448

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2296 -ip 2296
1⤵
PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstAA8F.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/1496-155-0x0000000000000000-mapping.dmp

Download
memory/2296-147-0x0000000038D30000-0x0000000038D96000-memory.dmp

Filesize
408KB

Download
memory/2296-161-0x00007FFEB31B0000-0x00007FFEB33A5000-memory.dmp

Filesize
2.0MB

Download
memory/2296-148-0x00007FFEB31B0000-0x00007FFEB33A5000-memory.dmp

Filesize
2.0MB

Download
memory/2296-160-0x0000000001300000-0x0000000005F0F000-memory.dmp

Filesize
76.1MB

Download
memory/2296-138-0x0000000001300000-0x0000000005F0F000-memory.dmp

Filesize
76.1MB

Download
memory/2296-139-0x0000000001300000-0x0000000005F0F000-memory.dmp

Filesize
76.1MB

Download
memory/2296-140-0x00007FFEB31B0000-0x00007FFEB33A5000-memory.dmp

Filesize
2.0MB

Download
memory/2296-141-0x00000000776F0000-0x0000000077893000-memory.dmp

Filesize
1.6MB

Download
memory/2296-142-0x00000000776F0000-0x0000000077893000-memory.dmp

Filesize
1.6MB

Download
memory/2296-143-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2296-144-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2296-146-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/2296-136-0x0000000000000000-mapping.dmp

Download
memory/2296-159-0x00000000776F0000-0x0000000077893000-memory.dmp

Filesize
1.6MB

Download
memory/2296-149-0x00000000776F0000-0x0000000077893000-memory.dmp

Filesize
1.6MB

Download
memory/2296-150-0x0000000039D80000-0x0000000039E12000-memory.dmp

Filesize
584KB

Download
memory/2296-152-0x000000003A3D0000-0x000000003A974000-memory.dmp

Filesize
5.6MB

Download
memory/2352-153-0x0000000000000000-mapping.dmp

Download
memory/2808-133-0x00000000032F0000-0x00000000033CB000-memory.dmp

Filesize
876KB

Download
memory/2808-135-0x00000000776F0000-0x0000000077893000-memory.dmp

Filesize
1.6MB

Download
memory/2808-137-0x00000000776F0000-0x0000000077893000-memory.dmp

Filesize
1.6MB

Download
memory/2808-134-0x00007FFEB31B0000-0x00007FFEB33A5000-memory.dmp

Filesize
2.0MB

Download
memory/3548-157-0x0000000000000000-mapping.dmp

Download
memory/4008-156-0x0000000000000000-mapping.dmp

Download
memory/4164-154-0x0000000000000000-mapping.dmp

Download
memory/4168-158-0x0000000000000000-mapping.dmp

Download
memory/4768-151-0x0000000000000000-mapping.dmp

Download