guloader | f2d084f0a71c46d2152cefc1255135c367bc439ab35471746061a858282c6b69

Analysis

max time kernel
299s
max time network
304s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
09-02-2023 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Буџет за 2023.exe
Size

553KB
MD5

02d3420e0bc7ee42be3ac64bf0754a9e
SHA1

d68c19a349f19faad729f5f5a5733e5b114d061c
SHA256

f2d084f0a71c46d2152cefc1255135c367bc439ab35471746061a858282c6b69
SHA512

84b4b45c3993bfd18d80f785b4982646a1d760c6367803e99f8fdb4e6c3cc58d38866c65d2f3b4d2e53693c705837377b848d5fd444bdd43da27e27c0292f030
SSDEEP

12288:YkylifmvMhxliCymp+N8v2ocCSivrlicgwHeS:glgli7j8vcKGK

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Буџет за 2023.exeБуџет за 2023.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Буџет за 2023.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Буџет за 2023.exe

Loads dropped DLL 20 IoCs

Processes:

Буџет за 2023.exe

pid	process
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe
1652	Буџет за 2023.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

Буџет за 2023.exe

pid process

1852 Буџет за 2023.exe
1852 Буџет за 2023.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Буџет за 2023.exeБуџет за 2023.exe

pid process

1652 Буџет за 2023.exe
1852 Буџет за 2023.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Буџет за 2023.exe

description pid process target process

PID 1652 set thread context of 1852 1652 Буџет за 2023.exe Буџет за 2023.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Буџет за 2023.exe

pid process

1652 Буџет за 2023.exe

pid	process
1852	Буџет за 2023.exe
1852	Буџет за 2023.exe

description	pid	process	target process
PID 1652 set thread context of 1852	1652	Буџет за 2023.exe	Буџет за 2023.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	544	AUDIODG.EXE
Token: 33	544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	544	AUDIODG.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Буџет за 2023.exe

description	pid	process	target process
PID 1652 wrote to memory of 1852	1652	Буџет за 2023.exe	Буџет за 2023.exe
PID 1652 wrote to memory of 1852	1652	Буџет за 2023.exe	Буџет за 2023.exe
PID 1652 wrote to memory of 1852	1652	Буџет за 2023.exe	Буџет за 2023.exe
PID 1652 wrote to memory of 1852	1652	Буџет за 2023.exe	Буџет за 2023.exe
PID 1652 wrote to memory of 1852	1652	Буџет за 2023.exe	Буџет за 2023.exe
PID 1652 wrote to memory of 1852	1652	Буџет за 2023.exe	Буџет за 2023.exe
PID 1652 wrote to memory of 1852	1652	Буџет за 2023.exe	Буџет за 2023.exe
PID 1652 wrote to memory of 1852	1652	Буџет за 2023.exe	Буџет за 2023.exe

C:\Users\Admin\AppData\Local\Temp\Буџет за 2023.exe
"C:\Users\Admin\AppData\Local\Temp\Буџет за 2023.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\Буџет за 2023.exe
"C:\Users\Admin\AppData\Local\Temp\Буџет за 2023.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1852

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1DA0.tmp\System.dll
Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/964-93-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1652-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1652-75-0x0000000003740000-0x0000000008D71000-memory.dmp

Filesize
86.2MB

Download
memory/1652-76-0x0000000003740000-0x0000000008D71000-memory.dmp

Filesize
86.2MB

Download
memory/1652-77-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/1652-90-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1652-82-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1652-83-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1852-84-0x0000000001470000-0x0000000006AA1000-memory.dmp

Filesize
86.2MB

Download
memory/1852-85-0x0000000001470000-0x0000000006AA1000-memory.dmp

Filesize
86.2MB

Download
memory/1852-86-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/1852-89-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1852-81-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1852-91-0x0000000077030000-0x00000000771D9000-memory.dmp

Filesize
1.7MB

Download
memory/1852-92-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1852-80-0x00000000004032FE-mapping.dmp

Download
memory/1852-94-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/1852-95-0x0000000001470000-0x0000000006AA1000-memory.dmp

Filesize
86.2MB

Download