guloader | 04838640b4ef54b164d69d2117c6b2b8c59a426cd46f33380d99c298fd636afa

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
23-11-2023 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

525KB
MD5

91fbfad8dd2f4e1e58edce52ac0e2d93
SHA1

6b2205d2d86131d66dd27eb59a2465e4e5560b02
SHA256

04838640b4ef54b164d69d2117c6b2b8c59a426cd46f33380d99c298fd636afa
SHA512

46fcfb66c4b76b9307b17272aa0f90d0096292f54b02d26a5f714165f77987658b78e352e712b188cb786fc89ab1c59da617ec104f80e041f60bf13f4385a556
SSDEEP

12288:UMwwkS7HrstA/a2Ew628F6SeGjtvP10jhHJ72MYUdklA:UMwwpN/BEw628F6SewtvP1Y726dUA

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 10 IoCs

pid	Process
1296	2.exe
1296	2.exe
1296	2.exe
1296	2.exe
1296	2.exe
1296	2.exe
1296	2.exe
1296	2.exe
1296	2.exe
528	SearchIndexer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2672	2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1296	2.exe
2672	2.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1296 set thread context of 2672	1296	2.exe	28
PID 2672 set thread context of 1196	2672	2.exe	13
PID 2672 set thread context of 528	2672	2.exe	33
PID 528 set thread context of 1196	528	SearchIndexer.exe	13

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\pneumodynamic\Crews\melanorrhoea\brnene\tombolaernes.cul	2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\beaner\Krydsogtvrsopgavers\blodstyrtnings\Sovevognskonduktren\svenskekyst\enegngernes\kaldendes\periboli.Tor38	2.exe
File opened for modification	C:\Windows\resources\0409\weichselwood\Ressource\providoring\linjevogterne\sexisms\Enogtyvendedel\matias\afstraffe.opf	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1861898231-3446828954-4278112889-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2672	2.exe
2672	2.exe
2672	2.exe
2672	2.exe
2672	2.exe
2672	2.exe
2672	2.exe
2672	2.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1196	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1296	2.exe
2672	2.exe
1196	Explorer.EXE
1196	Explorer.EXE
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe
528	SearchIndexer.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2672	1296	2.exe	28
PID 1296 wrote to memory of 2672	1296	2.exe	28
PID 1296 wrote to memory of 2672	1296	2.exe	28
PID 1296 wrote to memory of 2672	1296	2.exe	28
PID 1296 wrote to memory of 2672	1296	2.exe	28
PID 1296 wrote to memory of 2672	1296	2.exe	28
PID 1196 wrote to memory of 528	1196	Explorer.EXE	33
PID 1196 wrote to memory of 528	1196	Explorer.EXE	33
PID 1196 wrote to memory of 528	1196	Explorer.EXE	33
PID 1196 wrote to memory of 528	1196	Explorer.EXE	33
PID 528 wrote to memory of 2032	528	SearchIndexer.exe	34
PID 528 wrote to memory of 2032	528	SearchIndexer.exe	34
PID 528 wrote to memory of 2032	528	SearchIndexer.exe	34
PID 528 wrote to memory of 2032	528	SearchIndexer.exe	34
PID 528 wrote to memory of 2032	528	SearchIndexer.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2672
- C:\Windows\SysWOW64\SearchIndexer.exe
  "C:\Windows\SysWOW64\SearchIndexer.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy4413.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4413.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpxxmb.zip

Filesize
430KB

MD5
30a561abb006b9d5debdd51dab743700

SHA1
e19c8d436f5b6ed66db21e32020f5ab6406241ca

SHA256
62da7ad6252a7778f096d62d9485a97ac48f2f2d0258cecd471aaada98877fe2

SHA512
e48b51bb99083c7e9fd55e28c9c667bf9c6c7141c1b620ce71542849bfed53a92585897321831743e80a8eea3ac0c787ab091f742bf58b587a5e50f723443c53

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4413.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4413.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4413.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4413.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4413.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4413.tmp\UserInfo.dll

Filesize
4KB

MD5
98ff85b635d9114a9f6a0cd7b9b649d0

SHA1
7a51b13aa86a445a2161fa1a567cdaecaa5c97c4

SHA256
933f93a30ce44df96cbc4ac0b56a8b02ee01da27e4ea665d1d846357a8fca8de

SHA512
562342532c437236d56054278d27195e5f8c7e59911fc006964149fc0420b1f9963d72a71ebf1cd3dfee42d991a4049a382f7e669863504c16f0fe7097a07a0a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4413.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4413.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4413.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
820KB

MD5
317ba2f8e624ec0c7d3714e2bde4f346

SHA1
12734675cfad66d78252515644a624964f69f94d

SHA256
0c2093493424e885c297d613e0cf343d8a084253ca3b044415e14c6e94696877

SHA512
ecc4a6f951cd7958288b7de35b253475fcc0910f5385b0b38db872a412b547ef5d8e7056865d26ae46b3b027d8b0bb37aa25ec6cb1a67abd342799795bfd3b08

Download Submit
memory/528-150-0x0000000001E00000-0x0000000001E9A000-memory.dmp

Filesize
616KB

Download
memory/528-103-0x0000000001E00000-0x0000000001E9A000-memory.dmp

Filesize
616KB

Download
memory/528-149-0x0000000061E00000-0x0000000061EBB000-memory.dmp

Filesize
748KB

Download
memory/528-131-0x0000000000140000-0x000000000017A000-memory.dmp

Filesize
232KB

Download
memory/528-96-0x0000000000140000-0x000000000017A000-memory.dmp

Filesize
232KB

Download
memory/528-97-0x0000000000140000-0x000000000017A000-memory.dmp

Filesize
232KB

Download
memory/528-100-0x0000000002190000-0x0000000002493000-memory.dmp

Filesize
3.0MB

Download
memory/528-102-0x0000000000140000-0x000000000017A000-memory.dmp

Filesize
232KB

Download
memory/1196-151-0x0000000003D10000-0x0000000003DB3000-memory.dmp

Filesize
652KB

Download
memory/1196-104-0x0000000002700000-0x0000000002800000-memory.dmp

Filesize
1024KB

Download
memory/1196-105-0x0000000003D10000-0x0000000003DB3000-memory.dmp

Filesize
652KB

Download
memory/1196-106-0x0000000003D10000-0x0000000003DB3000-memory.dmp

Filesize
652KB

Download
memory/1196-107-0x0000000008A10000-0x0000000009763000-memory.dmp

Filesize
13.3MB

Download
memory/1196-90-0x0000000002700000-0x0000000002800000-memory.dmp

Filesize
1024KB

Download
memory/1196-93-0x0000000008A10000-0x0000000009763000-memory.dmp

Filesize
13.3MB

Download
memory/1296-47-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/1296-50-0x00000000750E0000-0x00000000750E7000-memory.dmp

Filesize
28KB

Download
memory/1296-46-0x0000000003A80000-0x0000000006A38000-memory.dmp

Filesize
47.7MB

Download
memory/1296-48-0x0000000003A80000-0x0000000006A38000-memory.dmp

Filesize
47.7MB

Download
memory/1296-49-0x0000000077DB0000-0x0000000077E86000-memory.dmp

Filesize
856KB

Download
memory/2672-78-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-54-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-81-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-80-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-99-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-79-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-84-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-77-0x0000000001470000-0x0000000004428000-memory.dmp

Filesize
47.7MB

Download
memory/2672-76-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-82-0x0000000001470000-0x0000000004428000-memory.dmp

Filesize
47.7MB

Download
memory/2672-53-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/2672-52-0x0000000001470000-0x0000000004428000-memory.dmp

Filesize
47.7MB

Download
memory/2672-51-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-94-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-83-0x0000000034790000-0x0000000034A93000-memory.dmp

Filesize
3.0MB

Download
memory/2672-92-0x00000000000C0000-0x00000000000DB000-memory.dmp

Filesize
108KB

Download
memory/2672-91-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download