guloader | 4506e6e700c4e9b899f09c826a0d34a4a601654ce891dec0fe5a62dbb89f82e7

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

008100179377_INV_AWB_20230329.exe
Size

339KB
MD5

8ee10213a8319fdec8c2229e264a01d4
SHA1

c4e084201355eb124444d2ef58e049386fd0fb39
SHA256

4506e6e700c4e9b899f09c826a0d34a4a601654ce891dec0fe5a62dbb89f82e7
SHA512

5f1ff49411157502a73b89e481f69d35c710e9d4b9340beadd5b92ac59ecc3ff7347597ac42c65393bc9b32821b8f4b86bf5135f28450fb55812a4f0dd1c4298
SSDEEP

6144:yPXlu0E/c84v3K/qVkEizYgANMNMK9QlOMMWVJvVyn2hsXWyVjrKr:5/GvK/qDiLBKfIWVJvV6C/ypa

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	008100179377_INV_AWB_20230329.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	008100179377_INV_AWB_20230329.exe

Loads dropped DLL 1 IoCs

pid	Process
4152	008100179377_INV_AWB_20230329.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4152	008100179377_INV_AWB_20230329.exe
1952	008100179377_INV_AWB_20230329.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4152 set thread context of 1952	4152	008100179377_INV_AWB_20230329.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4152	008100179377_INV_AWB_20230329.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 1952	4152	008100179377_INV_AWB_20230329.exe	93
PID 4152 wrote to memory of 1952	4152	008100179377_INV_AWB_20230329.exe	93
PID 4152 wrote to memory of 1952	4152	008100179377_INV_AWB_20230329.exe	93
PID 4152 wrote to memory of 1952	4152	008100179377_INV_AWB_20230329.exe	93

C:\Users\Admin\AppData\Local\Temp\008100179377_INV_AWB_20230329.exe
"C:\Users\Admin\AppData\Local\Temp\008100179377_INV_AWB_20230329.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\008100179377_INV_AWB_20230329.exe
  "C:\Users\Admin\AppData\Local\Temp\008100179377_INV_AWB_20230329.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsqBE26.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1952-144-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1952-145-0x0000000001660000-0x0000000002FC1000-memory.dmp

Filesize
25.4MB

Download
memory/1952-146-0x0000000001660000-0x0000000002FC1000-memory.dmp

Filesize
25.4MB

Download
memory/1952-156-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4152-142-0x00000000052A0000-0x0000000006C01000-memory.dmp

Filesize
25.4MB

Download
memory/4152-143-0x00000000052A0000-0x0000000006C01000-memory.dmp

Filesize
25.4MB

Download