Malware Analysis Report

2025-08-05 14:06

Sample ID 230808-hsrlaabb23
Target DRAWING-MATERIALS NEEDED.exe
SHA256 63c7c7144d487bb38e9473ed1a7b420440b131981c5e83901614212f7d9bd8d8
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63c7c7144d487bb38e9473ed1a7b420440b131981c5e83901614212f7d9bd8d8

Threat Level: Known bad

The file DRAWING-MATERIALS NEEDED.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Checks QEMU agent file

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-08 07:00

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-08 07:00

Reported

2023-08-08 07:02

Platform

win7-20230712-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe

"C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 492

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd6D54.tmp\System.dll

MD5 4d3b19a81bd51f8ce44b93643a4e3a99
SHA1 35f8b00e85577b014080df98bd2c378351d9b3e9
SHA256 fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512 b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

memory/1648-65-0x00000000030C0000-0x0000000003CB8000-memory.dmp

memory/1648-66-0x00000000030C0000-0x0000000003CB8000-memory.dmp

memory/1648-67-0x0000000076E00000-0x0000000076FA9000-memory.dmp

memory/1648-68-0x0000000076FF0000-0x00000000770C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-08 07:00

Reported

2023-08-08 07:02

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe

"C:\Users\Admin\AppData\Local\Temp\DRAWING-MATERIALS NEEDED.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2484 -ip 2484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1140

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsx800E.tmp\System.dll

MD5 4d3b19a81bd51f8ce44b93643a4e3a99
SHA1 35f8b00e85577b014080df98bd2c378351d9b3e9
SHA256 fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512 b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

memory/2484-143-0x0000000004A60000-0x0000000005658000-memory.dmp

memory/2484-144-0x0000000004A60000-0x0000000005658000-memory.dmp

memory/2484-145-0x0000000077441000-0x0000000077561000-memory.dmp

memory/2484-146-0x0000000004A60000-0x0000000005658000-memory.dmp

memory/2484-147-0x0000000077441000-0x0000000077561000-memory.dmp