guloader | cb8c35f6c10b9fa1b3646cc0c231ffde270e01fa67e21ac7145687169fc81e50

Analysis

max time kernel
149s
max time network
162s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 18:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SÖZLEŞME-pdf.exe
Size

698KB
MD5

51f839810ce0ba1728127d41e39afffa
SHA1

e0accff644b9a36bf39c6af187160ce34d485048
SHA256

cb8c35f6c10b9fa1b3646cc0c231ffde270e01fa67e21ac7145687169fc81e50
SHA512

4a9ee4499773be98ae31e94df6b10aafb542884f962e37b594e252c6599ecb3b661400d3cb4d2139155c7d6ddc0ede2f890e978e13103c2ef452688ba0f5b485
SSDEEP

12288:Yt1WPmvQx0Fh9nwB04Tyzx5yfS/a+Meyp7nZ02N2+XKWN9+SpHe7ZF4W:c1Wn2wB04Gpy+b07nO2NlXN0SpHeNF/

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
2256	SÖZLEŞME-pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2256	SÖZLEŞME-pdf.exe
2176	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 2176	2256	SÖZLEŞME-pdf.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2256	SÖZLEŞME-pdf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2176	2256	SÖZLEŞME-pdf.exe	28
PID 2256 wrote to memory of 2176	2256	SÖZLEŞME-pdf.exe	28
PID 2256 wrote to memory of 2176	2256	SÖZLEŞME-pdf.exe	28
PID 2256 wrote to memory of 2176	2256	SÖZLEŞME-pdf.exe	28
PID 2256 wrote to memory of 2176	2256	SÖZLEŞME-pdf.exe	28
PID 2256 wrote to memory of 2176	2256	SÖZLEŞME-pdf.exe	28

C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy65E5.tmp\System.dll

Filesize
11KB

MD5
be2621a78a13a56cf09e00dd98488360

SHA1
75f0539dc6af200a07cdb056cddddec595c6cfd2

SHA256
852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5

SHA512
b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1

Download Submit
memory/2176-16-0x00000000008E0000-0x0000000002EBC000-memory.dmp

Filesize
37.9MB

Download
memory/2176-17-0x00000000008E0000-0x0000000002EBC000-memory.dmp

Filesize
37.9MB

Download
memory/2176-18-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2176-19-0x0000000072D70000-0x0000000073DD2000-memory.dmp

Filesize
16.4MB

Download
memory/2256-11-0x0000000003380000-0x000000000595C000-memory.dmp

Filesize
37.9MB

Download
memory/2256-12-0x0000000003380000-0x000000000595C000-memory.dmp

Filesize
37.9MB

Download
memory/2256-13-0x00000000777F0000-0x0000000077999000-memory.dmp

Filesize
1.7MB

Download
memory/2256-14-0x00000000779E0000-0x0000000077AB6000-memory.dmp

Filesize
856KB

Download
memory/2256-15-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download