guloader | 49c664a223499b26d21c32fa465d34dda9c824a3940eda061ea8ccfdac003a3a

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2023, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gardenizes.exe
Size

526KB
MD5

272af9392194c64dd28d80bc09098a11
SHA1

5b87e32283412d27880e43db5670ac05591e5fb5
SHA256

49c664a223499b26d21c32fa465d34dda9c824a3940eda061ea8ccfdac003a3a
SHA512

f332313483d647f80c9d521cdce765cbebabe0dbd6f3e1467c723c597e09056f33f0849c785a76496f74a5c23bd04431b5246429e8e18e4bf3d5bbd9e48a409b
SSDEEP

12288:cVl7xI2ap5h9xrmJJlFdOmwLGIPpfjVHmDTiCba6fR:cb7xI2ap55momV8FjVHmO6fR

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Gardenizes.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Gardenizes.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Gardenizes.exe

Loads dropped DLL 1 IoCs

pid	Process
228	Gardenizes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1948	Gardenizes.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
228	Gardenizes.exe
1948	Gardenizes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 1948	228	Gardenizes.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe
1948	Gardenizes.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
228	Gardenizes.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	Gardenizes.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1948	228	Gardenizes.exe	96
PID 228 wrote to memory of 1948	228	Gardenizes.exe	96
PID 228 wrote to memory of 1948	228	Gardenizes.exe	96
PID 228 wrote to memory of 1948	228	Gardenizes.exe	96

C:\Users\Admin\AppData\Local\Temp\Gardenizes.exe
"C:\Users\Admin\AppData\Local\Temp\Gardenizes.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\Gardenizes.exe
  "C:\Users\Admin\AppData\Local\Temp\Gardenizes.exe"
  2⤵
  - Checks QEMU agent file
  - Checks computer location settings
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nswCAAA.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/228-163-0x00000000045D0000-0x0000000005BC7000-memory.dmp

Filesize
22.0MB

Download
memory/228-164-0x00000000045D0000-0x0000000005BC7000-memory.dmp

Filesize
22.0MB

Download
memory/1948-165-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1948-166-0x0000000001660000-0x0000000002C57000-memory.dmp

Filesize
22.0MB

Download
memory/1948-167-0x0000000001660000-0x0000000002C57000-memory.dmp

Filesize
22.0MB

Download
memory/1948-168-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1948-181-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1948-182-0x0000000001660000-0x0000000002C57000-memory.dmp

Filesize
22.0MB

Download
memory/1948-183-0x0000000033220000-0x000000003356A000-memory.dmp

Filesize
3.3MB

Download
memory/1948-184-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download