guloader | 04838640b4ef54b164d69d2117c6b2b8c59a426cd46f33380d99c298fd636afa

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2023, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.exe
Size

525KB
MD5

91fbfad8dd2f4e1e58edce52ac0e2d93
SHA1

6b2205d2d86131d66dd27eb59a2465e4e5560b02
SHA256

04838640b4ef54b164d69d2117c6b2b8c59a426cd46f33380d99c298fd636afa
SHA512

46fcfb66c4b76b9307b17272aa0f90d0096292f54b02d26a5f714165f77987658b78e352e712b188cb786fc89ab1c59da617ec104f80e041f60bf13f4385a556
SSDEEP

12288:UMwwkS7HrstA/a2Ew628F6SeGjtvP10jhHJ72MYUdklA:UMwwpN/BEw628F6SewtvP1Y726dUA

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 9 IoCs

pid	Process
4916	2.exe
4916	2.exe
4916	2.exe
4916	2.exe
4916	2.exe
4916	2.exe
4916	2.exe
4916	2.exe
4916	2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4968	2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4916	2.exe
4968	2.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4916 set thread context of 4968	4916	2.exe	95
PID 4968 set thread context of 3112	4968	2.exe	69
PID 4968 set thread context of 5076	4968	2.exe	96
PID 5076 set thread context of 3112	5076	SearchIndexer.exe	69

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\pneumodynamic\Crews\melanorrhoea\brnene\tombolaernes.cul	2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\beaner\Krydsogtvrsopgavers\blodstyrtnings\Sovevognskonduktren\svenskekyst\enegngernes\kaldendes\periboli.Tor38	2.exe
File opened for modification	C:\Windows\resources\0409\weichselwood\Ressource\providoring\linjevogterne\sexisms\Enogtyvendedel\matias\afstraffe.opf	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
4968	2.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4916	2.exe
4968	2.exe
3112	Explorer.EXE
3112	Explorer.EXE
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe
5076	SearchIndexer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3112	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4968	4916	2.exe	95
PID 4916 wrote to memory of 4968	4916	2.exe	95
PID 4916 wrote to memory of 4968	4916	2.exe	95
PID 4916 wrote to memory of 4968	4916	2.exe	95
PID 4916 wrote to memory of 4968	4916	2.exe	95
PID 3112 wrote to memory of 5076	3112	Explorer.EXE	96
PID 3112 wrote to memory of 5076	3112	Explorer.EXE	96
PID 3112 wrote to memory of 5076	3112	Explorer.EXE	96
PID 5076 wrote to memory of 3184	5076	SearchIndexer.exe	97
PID 5076 wrote to memory of 3184	5076	SearchIndexer.exe	97
PID 5076 wrote to memory of 3184	5076	SearchIndexer.exe	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4968
- C:\Windows\SysWOW64\SearchIndexer.exe
  "C:\Windows\SysWOW64\SearchIndexer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\LangDLL.dll

Filesize
5KB

MD5
014a3be4a7c1ccb217916dbf4f222bd1

SHA1
9b4c41eb0e84886beb5591d8357155e27f9c68ed

SHA256
09acfc5ee34a1dfa1af3a9d34f00c3b1327b56641feebd536e13752349c08ac8

SHA512
0f3d1bf548e29a136150b699665a3f22c6ea2821701737363fa2920b51c391d735f1eae92dea8af655e7d07304bd3d06e4aff3f5a82fa22bcf5d1690013eb922

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\UserInfo.dll

Filesize
4KB

MD5
98ff85b635d9114a9f6a0cd7b9b649d0

SHA1
7a51b13aa86a445a2161fa1a567cdaecaa5c97c4

SHA256
933f93a30ce44df96cbc4ac0b56a8b02ee01da27e4ea665d1d846357a8fca8de

SHA512
562342532c437236d56054278d27195e5f8c7e59911fc006964149fc0420b1f9963d72a71ebf1cd3dfee42d991a4049a382f7e669863504c16f0fe7097a07a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb1662.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
memory/3112-91-0x0000000002870000-0x0000000002947000-memory.dmp

Filesize
860KB

Download
memory/3112-82-0x0000000002870000-0x0000000002947000-memory.dmp

Filesize
860KB

Download
memory/3112-81-0x0000000002870000-0x0000000002947000-memory.dmp

Filesize
860KB

Download
memory/4916-37-0x00000000052A0000-0x0000000008258000-memory.dmp

Filesize
47.7MB

Download
memory/4916-38-0x00000000052A0000-0x0000000008258000-memory.dmp

Filesize
47.7MB

Download
memory/4916-39-0x00000000772A1000-0x00000000773C1000-memory.dmp

Filesize
1.1MB

Download
memory/4916-40-0x0000000074100000-0x0000000074107000-memory.dmp

Filesize
28KB

Download
memory/4968-60-0x0000000001660000-0x0000000004618000-memory.dmp

Filesize
47.7MB

Download
memory/4968-73-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-44-0x0000000077345000-0x0000000077346000-memory.dmp

Filesize
4KB

Download
memory/4968-61-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-62-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-63-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-64-0x0000000001660000-0x0000000004618000-memory.dmp

Filesize
47.7MB

Download
memory/4968-65-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-66-0x00000000772A1000-0x00000000773C1000-memory.dmp

Filesize
1.1MB

Download
memory/4968-67-0x0000000034A70000-0x0000000034DBA000-memory.dmp

Filesize
3.3MB

Download
memory/4968-68-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-71-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-72-0x0000000004710000-0x000000000472B000-memory.dmp

Filesize
108KB

Download
memory/4968-59-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-41-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-42-0x0000000001660000-0x0000000004618000-memory.dmp

Filesize
47.7MB

Download
memory/4968-77-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4968-43-0x0000000077328000-0x0000000077329000-memory.dmp

Filesize
4KB

Download
memory/5076-79-0x0000000000310000-0x000000000034A000-memory.dmp

Filesize
232KB

Download
memory/5076-80-0x0000000000CD0000-0x0000000000D6A000-memory.dmp

Filesize
616KB

Download
memory/5076-78-0x0000000000E80000-0x00000000011CA000-memory.dmp

Filesize
3.3MB

Download
memory/5076-75-0x0000000000310000-0x000000000034A000-memory.dmp

Filesize
232KB

Download
memory/5076-89-0x0000000000310000-0x000000000034A000-memory.dmp

Filesize
232KB

Download
memory/5076-90-0x0000000000CD0000-0x0000000000D6A000-memory.dmp

Filesize
616KB

Download
memory/5076-74-0x0000000000310000-0x000000000034A000-memory.dmp

Filesize
232KB

Download