guloader | 29167828218e982768bc2853fbdbf68693a2e7e9daca53106eedd9af9d873456

Analysis

max time kernel
151s
max time network
159s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 17:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TELLIMUS.exe
Size

1.4MB
MD5

ace6da016dbe62de41d37f890cccd3f3
SHA1

107f1172ff1d6ccbb3cdc3ff5d875732c1d2d62d
SHA256

504fabaf59d6e4bd0d8ae73063979d43ed204f234de00bb02a8be32ae34c19a5
SHA512

94f890052a74dc1c4738195e83a1917e4c990b16bbfe7c3932ac256274b03e76cc3b12cc09130bf7865dc2e4339cb0e9c42ae2f4bc0d160951d66ad788eb97d9
SSDEEP

24576:4Kk6ZwssbqDuv+9gk7LwbpclU12Z1owyMsMtBH9I9QoP8YfyWhk2xRUASHJcPW8Z:9kMsQugwbylFZ1l7wQokD09OuPWHK

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
2576	TELLIMUS.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2576	TELLIMUS.exe
2768	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2768	2576	TELLIMUS.exe	28

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pass.ini	TELLIMUS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2576	TELLIMUS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2768	2576	TELLIMUS.exe	28
PID 2576 wrote to memory of 2768	2576	TELLIMUS.exe	28
PID 2576 wrote to memory of 2768	2576	TELLIMUS.exe	28
PID 2576 wrote to memory of 2768	2576	TELLIMUS.exe	28
PID 2576 wrote to memory of 2768	2576	TELLIMUS.exe	28
PID 2576 wrote to memory of 2768	2576	TELLIMUS.exe	28

C:\Users\Admin\AppData\Local\Temp\TELLIMUS.exe
"C:\Users\Admin\AppData\Local\Temp\TELLIMUS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\TELLIMUS.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Pictures\bovlstrups.ini

Filesize
41B

MD5
1f8a8fe20f1870e7459bc3ceba450e96

SHA1
1f2a4a6c5160948128e72d581db9ffc298706e7d

SHA256
39bf1e3290ba34b0b8ce448ba58048aa4ed75ff8eafce7e191f6b88078b68abe

SHA512
2b5363332229eb290c7318a1bd1a122a71048a71f87241da9feaace4779d3318aeefff724148d84217d7f98fd070b8be0cf0102d78d30a4f10fa3f35a87115c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy628B.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/2576-22-0x0000000003420000-0x0000000004487000-memory.dmp

Filesize
16.4MB

Download
memory/2576-23-0x0000000003420000-0x0000000004487000-memory.dmp

Filesize
16.4MB

Download
memory/2576-24-0x00000000772D0000-0x0000000077479000-memory.dmp

Filesize
1.7MB

Download
memory/2576-25-0x00000000774C0000-0x0000000077596000-memory.dmp

Filesize
856KB

Download
memory/2576-26-0x0000000074C80000-0x0000000074C87000-memory.dmp

Filesize
28KB

Download
memory/2768-27-0x0000000001060000-0x00000000020C7000-memory.dmp

Filesize
16.4MB

Download
memory/2768-28-0x0000000001060000-0x00000000020C7000-memory.dmp

Filesize
16.4MB

Download
memory/2768-29-0x00000000772D0000-0x0000000077479000-memory.dmp

Filesize
1.7MB

Download
memory/2768-30-0x0000000072850000-0x00000000738B2000-memory.dmp

Filesize
16.4MB

Download
memory/2768-31-0x00000000772D0000-0x0000000077479000-memory.dmp

Filesize
1.7MB

Download