Malware Analysis Report

2025-08-05 14:06

Sample ID 230805-ng8y3sca52
Target 6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls
SHA256 6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760

Threat Level: Known bad

The file 6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Office document contains embedded OLE objects

Launches Equation Editor

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-05 11:23

Signatures

Office document contains embedded OLE objects

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-05 11:23

Reported

2023-08-05 11:25

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/4720-133-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp

memory/4720-135-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp

memory/4720-134-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp

memory/4720-136-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-137-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-140-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp

memory/4720-138-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp

memory/4720-139-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-141-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-142-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-143-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-144-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-145-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-146-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-147-0x00007FFAA8CC0000-0x00007FFAA8CD0000-memory.dmp

memory/4720-148-0x00007FFAA8CC0000-0x00007FFAA8CD0000-memory.dmp

memory/4720-149-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-150-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-151-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-152-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-153-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-154-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-155-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-156-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-166-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

memory/4720-170-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8BED6E60.emf

MD5 a01b9617553432807b9b58025b338d97
SHA1 439bdcc450408b9735b2428c2d53d2e6977fa58c
SHA256 7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce
SHA512 312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

memory/4720-203-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp

memory/4720-204-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp

memory/4720-205-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp

memory/4720-206-0x00007FFAAB530000-0x00007FFAAB540000-memory.dmp

memory/4720-207-0x00007FFAEB4B0000-0x00007FFAEB6A5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-05 11:23

Reported

2023-08-05 11:25

Platform

win7-20230712-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls

Signatures

Guloader,Cloudeye

downloader guloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\6d641a102305c0a62467fdf0197ff548473edf090d07c0c3faa3f1f9ea10c760xls_JC.xls

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe

"C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe"

Network

Country Destination Domain Proto
US 198.46.176.189:80 198.46.176.189 tcp

Files

memory/1136-55-0x0000000073ECD000-0x0000000073ED8000-memory.dmp

memory/1136-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe

MD5 08defe80ace1f032875c8127ae5e4481
SHA1 2d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256 ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
SHA512 09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7

C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe

MD5 08defe80ace1f032875c8127ae5e4481
SHA1 2d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256 ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
SHA512 09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7

C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe

MD5 08defe80ace1f032875c8127ae5e4481
SHA1 2d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256 ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
SHA512 09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7

C:\Users\Admin\AppData\Local\Temp\IBS_Cortana.exe

MD5 08defe80ace1f032875c8127ae5e4481
SHA1 2d7ba957be6c89cd3633a63dfd8e925a90d40bd4
SHA256 ac131e3fbcd040f4a5f0dc8e90d3c77bb98d934d5c6696de510ca89f18599062
SHA512 09fc727fcdc86e57bc143571d061652787f2e82189255df2bebf2951ae705ef9d185646cadcd30b671233959512788c37fd6a350b28a676f064c87228bbf9bd7

\Users\Admin\AppData\Local\Temp\nso8161.tmp\System.dll

MD5 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1 fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256 fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA512 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

memory/2484-81-0x00000000037A0000-0x0000000004417000-memory.dmp

memory/1136-82-0x0000000073ECD000-0x0000000073ED8000-memory.dmp

memory/2484-83-0x00000000037A0000-0x0000000004417000-memory.dmp

memory/1136-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2398AB6F.emf

MD5 a01b9617553432807b9b58025b338d97
SHA1 439bdcc450408b9735b2428c2d53d2e6977fa58c
SHA256 7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce
SHA512 312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

memory/1136-104-0x0000000073ECD000-0x0000000073ED8000-memory.dmp