guloader | 72dd4a485022615655369c7285637535701bd4209d8e03f1d4301e742d8a32eb

Analysis

max time kernel
147s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/06/2023, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DX99T-013 Rev1.exe
Size

803KB
MD5

97bdcb96c16cc016fd690098a234032e
SHA1

203eb97f6a036fa001e54260921aada4f1319520
SHA256

7ce56082e88d8baa1525aa06886fcc2d3df5f87983db227fa4a115d9619da2c1
SHA512

b14b1c96624a683345873c7e7c76a844fde03f698d8782a1be29fe5f20a9bdb295a07150cf5b4aa5b607859b05c5a2a841319a35fe63be90af19754cbea0c0ba
SSDEEP

24576:r9f5pn4BVOX6XQXgDUJKETJDxvesj048x:Tp4BYqX8gDkKCJDxGsux

Score

10^/10

guloader warzonerat discovery downloader evasion infostealer persistence rat upx

Malware Config

Extracted

Family

warzonerat

jabsgu.kozow.com:6186

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 10 IoCs

rat

resource	yara_rule
behavioral1/memory/272-80-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat
behavioral1/memory/272-84-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat
behavioral1/memory/272-100-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat
behavioral1/memory/272-101-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat
behavioral1/memory/272-106-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat
behavioral1/memory/272-107-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat
behavioral1/memory/272-110-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat
behavioral1/memory/272-111-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat
behavioral1/memory/272-114-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat
behavioral1/memory/272-115-0x0000000000400000-0x0000000001462000-memory.dmp	warzonerat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
944	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	DX99T-013 Rev1.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	DX99T-013 Rev1.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	DX99T-013 Rev1.exe

Executes dropped EXE 1 IoCs

pid	Process
1592	11.exe

Loads dropped DLL 3 IoCs

pid	Process
1436	DX99T-013 Rev1.exe
272	DX99T-013 Rev1.exe
1452	Process not Found

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015c56-94.dat	upx
behavioral1/files/0x0006000000015c56-96.dat	upx
behavioral1/files/0x0006000000015c56-97.dat	upx
behavioral1/memory/1592-104-0x0000000000E70000-0x0000000000E9D000-memory.dmp	upx
behavioral1/memory/1592-113-0x0000000000E70000-0x0000000000E9D000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	DX99T-013 Rev1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	DX99T-013 Rev1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\gFDjrqG = "0"	DX99T-013 Rev1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	DX99T-013 Rev1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	DX99T-013 Rev1.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
272	DX99T-013 Rev1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1436	DX99T-013 Rev1.exe
272	DX99T-013 Rev1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 272	1436	DX99T-013 Rev1.exe	27

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	DX99T-013 Rev1.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	DX99T-013 Rev1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Udyderne\Nonterminable\Dithionate.ini	DX99T-013 Rev1.exe
File created	C:\Program Files (x86)\Common Files\Ploce50\Underkjolers\Cetes.lnk	DX99T-013 Rev1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1452	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1436	DX99T-013 Rev1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1804	AUDIODG.EXE
Token: 33	1804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1804	AUDIODG.EXE
Token: SeDebugPrivilege	272	DX99T-013 Rev1.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 272	1436	DX99T-013 Rev1.exe	27
PID 1436 wrote to memory of 272	1436	DX99T-013 Rev1.exe	27
PID 1436 wrote to memory of 272	1436	DX99T-013 Rev1.exe	27
PID 1436 wrote to memory of 272	1436	DX99T-013 Rev1.exe	27
PID 1436 wrote to memory of 272	1436	DX99T-013 Rev1.exe	27
PID 272 wrote to memory of 1592	272	DX99T-013 Rev1.exe	32
PID 272 wrote to memory of 1592	272	DX99T-013 Rev1.exe	32
PID 272 wrote to memory of 1592	272	DX99T-013 Rev1.exe	32
PID 272 wrote to memory of 1592	272	DX99T-013 Rev1.exe	32
PID 1592 wrote to memory of 944	1592	11.exe	33
PID 1592 wrote to memory of 944	1592	11.exe	33
PID 1592 wrote to memory of 944	1592	11.exe	33
PID 1592 wrote to memory of 944	1592	11.exe	33

C:\Users\Admin\AppData\Local\Temp\DX99T-013 Rev1.exe
"C:\Users\Admin\AppData\Local\Temp\DX99T-013 Rev1.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\DX99T-013 Rev1.exe
  "C:\Users\Admin\AppData\Local\Temp\DX99T-013 Rev1.exe"
  2⤵
  - Sets DLL path for service in the registry
  - Checks QEMU agent file
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Users\Admin\AppData\Local\Temp\11.exe
    "C:\Users\Admin\AppData\Local\Temp\11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
      4⤵
      Modifies Windows Firewall
      PID:944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\11.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
\Users\Admin\AppData\Local\Temp\nsj4D96.tmp\System.dll

Filesize
11KB

MD5
be2621a78a13a56cf09e00dd98488360

SHA1
75f0539dc6af200a07cdb056cddddec595c6cfd2

SHA256
852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5

SHA512
b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1

Download Submit
memory/272-111-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-100-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-78-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-80-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-83-0x0000000001470000-0x00000000030CB000-memory.dmp

Filesize
28.4MB

Download
memory/272-84-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-75-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-115-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-114-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-103-0x0000000038F00000-0x0000000038F2D000-memory.dmp

Filesize
180KB

Download
memory/272-76-0x0000000001470000-0x00000000030CB000-memory.dmp

Filesize
28.4MB

Download
memory/272-101-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-73-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-74-0x0000000001470000-0x00000000030CB000-memory.dmp

Filesize
28.4MB

Download
memory/272-106-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-107-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/272-109-0x0000000038F00000-0x0000000038F2D000-memory.dmp

Filesize
180KB

Download
memory/272-110-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1436-71-0x0000000002FD0000-0x0000000004C2B000-memory.dmp

Filesize
28.4MB

Download
memory/1436-72-0x0000000002FD0000-0x0000000004C2B000-memory.dmp

Filesize
28.4MB

Download
memory/1592-104-0x0000000000E70000-0x0000000000E9D000-memory.dmp

Filesize
180KB

Download
memory/1592-113-0x0000000000E70000-0x0000000000E9D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads