Malware Analysis Report

2025-08-05 14:07

Sample ID 230807-hhgy4afc5s
Target WB Documents No-285380XXX.exe
SHA256 6065cbb9fb0ae29dbdeca23edc1869c329d71fa17cce27daead9fdfec4b48c42
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6065cbb9fb0ae29dbdeca23edc1869c329d71fa17cce27daead9fdfec4b48c42

Threat Level: Known bad

The file WB Documents No-285380XXX.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Checks QEMU agent file

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-07 06:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-07 06:44

Reported

2023-08-07 06:46

Platform

win7-20230712-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\eksponer\handstaff\Verruga\bukselommens.coa C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe

"C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy7EE1.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Local\Temp\nsy7EE1.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

\Users\Admin\AppData\Local\Temp\nsy7EE1.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

memory/2472-66-0x00000000027A0000-0x00000000056A3000-memory.dmp

memory/2472-67-0x0000000077020000-0x00000000771C9000-memory.dmp

memory/2472-68-0x0000000077210000-0x00000000772E6000-memory.dmp

memory/2472-69-0x00000000027A0000-0x00000000056A3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-07 06:44

Reported

2023-08-07 06:46

Platform

win10v2004-20230703-en

Max time kernel

128s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\eksponer\handstaff\Verruga\bukselommens.coa C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe

"C:\Users\Admin\AppData\Local\Temp\WB Documents No-285380XXX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1044

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.128.241.8.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nswB065.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Local\Temp\nswB065.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

C:\Users\Admin\AppData\Local\Temp\nswB065.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

memory/4344-144-0x0000000002A80000-0x0000000005983000-memory.dmp

memory/4344-145-0x0000000077E31000-0x0000000077F51000-memory.dmp

memory/4344-146-0x0000000002A80000-0x0000000005983000-memory.dmp