guloader | f3b42984e87c2a8ce917732513c7ff6ec06f0298331c4ad60f63f000a0d240a2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arrau.exe
Size

1.0MB
MD5

2e8676a03e932238cd66ae2b694616a4
SHA1

8d691b2ba0710ffe56aa7d92281126ec316e196a
SHA256

f3b42984e87c2a8ce917732513c7ff6ec06f0298331c4ad60f63f000a0d240a2
SHA512

78b3810abc503caafa649696118b131ccb544fb86d4dbd66775ed1d6942df02f82f6caf476ba0d46a995cc9730d301410b95a1183cc516662a011eaeb74e3177
SSDEEP

24576:9hbv27In4nug1bM6mfcIuBFo7WCBYR06Nu0wzw:X27I4ug9MjkIYo7FS0H8

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
5048	Arrau.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	api.ipify.org
52	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2648	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5048	Arrau.exe
2648	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 2648	5048	Arrau.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	caspol.exe
2648	caspol.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5048	Arrau.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	caspol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	caspol.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2648	5048	Arrau.exe	96
PID 5048 wrote to memory of 2648	5048	Arrau.exe	96
PID 5048 wrote to memory of 2648	5048	Arrau.exe	96
PID 5048 wrote to memory of 2648	5048	Arrau.exe	96
PID 5048 wrote to memory of 2648	5048	Arrau.exe	96

C:\Users\Admin\AppData\Local\Temp\Arrau.exe
"C:\Users\Admin\AppData\Local\Temp\Arrau.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\Arrau.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh7DDC.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
memory/2648-31-0x0000000000910000-0x0000000001B47000-memory.dmp

Filesize
18.2MB

Download
memory/2648-33-0x0000000072310000-0x0000000072AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2648-43-0x00000000353A0000-0x00000000353AA000-memory.dmp

Filesize
40KB

Download
memory/2648-42-0x0000000035400000-0x0000000035492000-memory.dmp

Filesize
584KB

Download
memory/2648-26-0x0000000000910000-0x0000000001B47000-memory.dmp

Filesize
18.2MB

Download
memory/2648-27-0x0000000000910000-0x0000000001B47000-memory.dmp

Filesize
18.2MB

Download
memory/2648-28-0x0000000077CE8000-0x0000000077CE9000-memory.dmp

Filesize
4KB

Download
memory/2648-29-0x0000000077D05000-0x0000000077D06000-memory.dmp

Filesize
4KB

Download
memory/2648-30-0x0000000073650000-0x00000000748A4000-memory.dmp

Filesize
18.3MB

Download
memory/2648-41-0x0000000072310000-0x0000000072AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2648-40-0x00000000352C0000-0x000000003535C000-memory.dmp

Filesize
624KB

Download
memory/2648-34-0x0000000034700000-0x0000000034CA4000-memory.dmp

Filesize
5.6MB

Download
memory/2648-32-0x0000000073650000-0x0000000073692000-memory.dmp

Filesize
264KB

Download
memory/2648-35-0x0000000031FD0000-0x0000000031FE0000-memory.dmp

Filesize
64KB

Download
memory/2648-36-0x00000000341C0000-0x0000000034226000-memory.dmp

Filesize
408KB

Download
memory/2648-37-0x0000000077C61000-0x0000000077D81000-memory.dmp

Filesize
1.1MB

Download
memory/2648-39-0x00000000351D0000-0x0000000035220000-memory.dmp

Filesize
320KB

Download
memory/5048-23-0x00000000053D0000-0x0000000006607000-memory.dmp

Filesize
18.2MB

Download
memory/5048-22-0x00000000053D0000-0x0000000006607000-memory.dmp

Filesize
18.2MB

Download
memory/5048-25-0x00000000748B0000-0x00000000748B7000-memory.dmp

Filesize
28KB

Download
memory/5048-24-0x0000000077C61000-0x0000000077D81000-memory.dmp

Filesize
1.1MB

Download