Analysis Overview
SHA256
2862f154ed0e21c853a4e215cd7f5ee6d18e166ee3a742702540d5a4bb206a2f
Threat Level: Known bad
The file 145.scr was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Loads dropped DLL
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
NSIS installer
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-13 16:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-13 16:55
Reported
2023-07-13 16:57
Platform
win7-20230712-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\145.scr | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\leaderess\smmendes\Udtrkssengs.int | C:\Users\Admin\AppData\Local\Temp\145.scr | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Fonts\bremsningerne\regionalgeografiers.Ber | C:\Users\Admin\AppData\Local\Temp\145.scr | N/A |
| File opened for modification | C:\Windows\resources\gemytlig\clamorers\trindeler\trappean.Ste213 | C:\Users\Admin\AppData\Local\Temp\145.scr | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\145.scr
"C:\Users\Admin\AppData\Local\Temp\145.scr" /S
Network
Files
C:\Users\Admin\Pictures\uhyrernes.ini
| MD5 | dd143147e10d519478db6e6956810edb |
| SHA1 | b7ff19de5084e38102023994ce40631aabde2133 |
| SHA256 | 332504cea7d45f5f2f2554d3842dab2d3b3eb656288352e65217ea3a99a8d45b |
| SHA512 | 9b1d7b9aa854f5d5a9cb903aa55a76c74c272e399f91484338e80d822dab61c7da907597d7302393646772ab36f2a9382f7c326a8f300deabb578198ec848eb9 |
\Users\Admin\AppData\Local\Temp\nstE34F.tmp\System.dll
| MD5 | fccff8cb7a1067e23fd2e2b63971a8e1 |
| SHA1 | 30e2a9e137c1223a78a0f7b0bf96a1c361976d91 |
| SHA256 | 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e |
| SHA512 | f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c |
memory/2288-262-0x0000000002D00000-0x00000000040CA000-memory.dmp
memory/2288-263-0x0000000002D00000-0x00000000040CA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-13 16:55
Reported
2023-07-13 16:57
Platform
win10v2004-20230703-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\145.scr | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\leaderess\smmendes\Udtrkssengs.int | C:\Users\Admin\AppData\Local\Temp\145.scr | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Fonts\bremsningerne\regionalgeografiers.Ber | C:\Users\Admin\AppData\Local\Temp\145.scr | N/A |
| File opened for modification | C:\Windows\resources\gemytlig\clamorers\trindeler\trappean.Ste213 | C:\Users\Admin\AppData\Local\Temp\145.scr | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\145.scr
"C:\Users\Admin\AppData\Local\Temp\145.scr" /S
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.17.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
C:\Users\Admin\Pictures\uhyrernes.ini
| MD5 | dd143147e10d519478db6e6956810edb |
| SHA1 | b7ff19de5084e38102023994ce40631aabde2133 |
| SHA256 | 332504cea7d45f5f2f2554d3842dab2d3b3eb656288352e65217ea3a99a8d45b |
| SHA512 | 9b1d7b9aa854f5d5a9cb903aa55a76c74c272e399f91484338e80d822dab61c7da907597d7302393646772ab36f2a9382f7c326a8f300deabb578198ec848eb9 |
C:\Users\Admin\AppData\Local\Temp\nsm71F6.tmp\System.dll
| MD5 | fccff8cb7a1067e23fd2e2b63971a8e1 |
| SHA1 | 30e2a9e137c1223a78a0f7b0bf96a1c361976d91 |
| SHA256 | 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e |
| SHA512 | f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c |
memory/844-341-0x00000000030B0000-0x000000000447A000-memory.dmp
memory/844-342-0x00000000030B0000-0x000000000447A000-memory.dmp