Malware Analysis Report

2025-08-10 19:27

Sample ID 230713-ve5l7she23
Target 145.scr
SHA256 2862f154ed0e21c853a4e215cd7f5ee6d18e166ee3a742702540d5a4bb206a2f
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2862f154ed0e21c853a4e215cd7f5ee6d18e166ee3a742702540d5a4bb206a2f

Threat Level: Known bad

The file 145.scr was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

NSIS installer

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-13 16:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 16:55

Reported

2023-07-13 16:57

Platform

win7-20230712-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\145.scr" /S

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\145.scr N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\leaderess\smmendes\Udtrkssengs.int C:\Users\Admin\AppData\Local\Temp\145.scr N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\bremsningerne\regionalgeografiers.Ber C:\Users\Admin\AppData\Local\Temp\145.scr N/A
File opened for modification C:\Windows\resources\gemytlig\clamorers\trindeler\trappean.Ste213 C:\Users\Admin\AppData\Local\Temp\145.scr N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\145.scr

"C:\Users\Admin\AppData\Local\Temp\145.scr" /S

Network

N/A

Files

C:\Users\Admin\Pictures\uhyrernes.ini

MD5 dd143147e10d519478db6e6956810edb
SHA1 b7ff19de5084e38102023994ce40631aabde2133
SHA256 332504cea7d45f5f2f2554d3842dab2d3b3eb656288352e65217ea3a99a8d45b
SHA512 9b1d7b9aa854f5d5a9cb903aa55a76c74c272e399f91484338e80d822dab61c7da907597d7302393646772ab36f2a9382f7c326a8f300deabb578198ec848eb9

\Users\Admin\AppData\Local\Temp\nstE34F.tmp\System.dll

MD5 fccff8cb7a1067e23fd2e2b63971a8e1
SHA1 30e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA256 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512 f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

memory/2288-262-0x0000000002D00000-0x00000000040CA000-memory.dmp

memory/2288-263-0x0000000002D00000-0x00000000040CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-13 16:55

Reported

2023-07-13 16:57

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\145.scr" /S

Signatures

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\145.scr N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\leaderess\smmendes\Udtrkssengs.int C:\Users\Admin\AppData\Local\Temp\145.scr N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\bremsningerne\regionalgeografiers.Ber C:\Users\Admin\AppData\Local\Temp\145.scr N/A
File opened for modification C:\Windows\resources\gemytlig\clamorers\trindeler\trappean.Ste213 C:\Users\Admin\AppData\Local\Temp\145.scr N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\145.scr

"C:\Users\Admin\AppData\Local\Temp\145.scr" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

C:\Users\Admin\Pictures\uhyrernes.ini

MD5 dd143147e10d519478db6e6956810edb
SHA1 b7ff19de5084e38102023994ce40631aabde2133
SHA256 332504cea7d45f5f2f2554d3842dab2d3b3eb656288352e65217ea3a99a8d45b
SHA512 9b1d7b9aa854f5d5a9cb903aa55a76c74c272e399f91484338e80d822dab61c7da907597d7302393646772ab36f2a9382f7c326a8f300deabb578198ec848eb9

C:\Users\Admin\AppData\Local\Temp\nsm71F6.tmp\System.dll

MD5 fccff8cb7a1067e23fd2e2b63971a8e1
SHA1 30e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA256 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512 f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

memory/844-341-0x00000000030B0000-0x000000000447A000-memory.dmp

memory/844-342-0x00000000030B0000-0x000000000447A000-memory.dmp