Malware Analysis Report

2025-08-05 14:06

Sample ID 230804-vwmsqaec2z
Target 62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033exe_JC.exe
SHA256 62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033

Threat Level: Known bad

The file 62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-04 17:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-04 17:20

Reported

2023-08-04 17:23

Platform

win7-20230712-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033exe_JC.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033exe_JC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 496

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nstB7BC.tmp\System.dll

MD5 b853d5d2361ade731e33e882707efc34
SHA1 c58b1aeabdf1cbb8334ef8797e7aceaa7a1cb6be
SHA256 f0cd96e0b6e40f92ad1aa0efacde833bae807b92fca19bf062c1cf8acf29484b
SHA512 8ea31d82ffa6f58dab5632fe72690d3a6db0be65aec85fc8a1f71626773c0974dcebefae17bcf67c4c56ef442545e985eea0b348ff6e4fc36740640092b08d69

memory/1680-63-0x00000000035A0000-0x0000000003F9C000-memory.dmp

memory/1680-64-0x00000000035A0000-0x0000000003F9C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-04 17:20

Reported

2023-08-04 17:23

Platform

win10v2004-20230703-en

Max time kernel

138s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033exe_JC.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\62f6c0808306a2863176d2b6302113abdd06f626f42269ea0da9fab94f058033exe_JC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1100

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.132.241.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsz77F0.tmp\System.dll

MD5 b853d5d2361ade731e33e882707efc34
SHA1 c58b1aeabdf1cbb8334ef8797e7aceaa7a1cb6be
SHA256 f0cd96e0b6e40f92ad1aa0efacde833bae807b92fca19bf062c1cf8acf29484b
SHA512 8ea31d82ffa6f58dab5632fe72690d3a6db0be65aec85fc8a1f71626773c0974dcebefae17bcf67c4c56ef442545e985eea0b348ff6e4fc36740640092b08d69

memory/2756-143-0x0000000004ED0000-0x00000000058CC000-memory.dmp

memory/2756-144-0x0000000004ED0000-0x00000000058CC000-memory.dmp