guloader | 6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe
Size

653KB
MD5

39ec842756e01eb17542974aae74c30a
SHA1

461e89517eba220c242065f60a7f11dc5e679765
SHA256

6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4
SHA512

fb9984954882e5c5d5f75a2e3cedacd9734bcfcd5eb5a4d5a3176e12f19cc1e142f8b3855f0710cce715919becb62bac0a25750eb7ebb571dead83d8b29b4f51
SSDEEP

12288:wop/kb5q37+1/GygOiDFG+Jud5EVsFPNYsxMkkSdWDdaX480BjCy:wou4/ygOYFG+qFYsxiSUdw1IjT

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Protura.exe"	wab.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2228	wab.exe
2228	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe
2228	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2228	2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe	31

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\filmslide\windowful.lnk	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2228	wab.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2228	2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe	31
PID 2524 wrote to memory of 2228	2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe	31
PID 2524 wrote to memory of 2228	2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe	31
PID 2524 wrote to memory of 2228	2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe	31
PID 2524 wrote to memory of 2228	2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe	31
PID 2524 wrote to memory of 2228	2524	6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe	31

C:\Users\Admin\AppData\Local\Temp\6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe
"C:\Users\Admin\AppData\Local\Temp\6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Program Files (x86)\windows mail\wab.exe
  "C:\Users\Admin\AppData\Local\Temp\6529e196929b7761c5cd5034a5eb478d8665b7d537755acd2693ce734bec48d4.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
8b1061a580e23d221b9942a5c074ff88

SHA1
9d88b65e63498072958ab3ca3332ae99d00076bf

SHA256
a20490bb613cf1f9c29536d839f54d9682b6c88ec7d7578dbac8a1f7a28863e1

SHA512
b374c6c31a156a2d794ddd70fc0a070f85cd93bd3866c1d011b3e7010f45bcfc9956aed6ecc796903f8db4e7835c6dcfcc06eac5875c89f0257ace2b8a92df02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c8ba4c4132f4a651ce7beec25f7e08a

SHA1
e2a18ee5ef8f5b596dc31e5c466e181168440546

SHA256
afdf0aa3fafa3849a88882ea0f3fe6851c32b0d843e218c744c1975dc4d98f18

SHA512
9412b23f86897558d1533cf612954c742353c532929349a4da3738ac1a7031d421093e28711afb60f031287c78c14ae05242ae026b9f40483c83082dffef6c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D43.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E20.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\nso3A16.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/2228-152-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-136-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-24-0x00000000013F0000-0x0000000002BFC000-memory.dmp

Filesize
24.0MB

Download
memory/2228-27-0x0000000077C40000-0x0000000077D16000-memory.dmp

Filesize
856KB

Download
memory/2228-26-0x0000000077C76000-0x0000000077C77000-memory.dmp

Filesize
4KB

Download
memory/2228-91-0x00000000013F0000-0x0000000002BFC000-memory.dmp

Filesize
24.0MB

Download
memory/2228-128-0x0000000077C40000-0x0000000077D16000-memory.dmp

Filesize
856KB

Download
memory/2228-130-0x00000000013F0000-0x0000000002BFC000-memory.dmp

Filesize
24.0MB

Download
memory/2228-131-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-132-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-133-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-134-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-135-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-158-0x0000000077C40000-0x0000000077D16000-memory.dmp

Filesize
856KB

Download
memory/2228-137-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-138-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-139-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-140-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-141-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-142-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-143-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-144-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-145-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-146-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-147-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-148-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-149-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-150-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-151-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-25-0x0000000077A50000-0x0000000077BF9000-memory.dmp

Filesize
1.7MB

Download
memory/2228-159-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-155-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-162-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-28-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-154-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-160-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-161-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-156-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-163-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-165-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-166-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-167-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-173-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-186-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-185-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-184-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-183-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-182-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-181-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-180-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-179-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-178-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-177-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-176-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-175-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-174-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-172-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-171-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-170-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-169-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2228-168-0x0000000000380000-0x00000000013E2000-memory.dmp

Filesize
16.4MB

Download
memory/2524-19-0x0000000004690000-0x0000000005E9C000-memory.dmp

Filesize
24.0MB

Download
memory/2524-20-0x0000000004690000-0x0000000005E9C000-memory.dmp

Filesize
24.0MB

Download
memory/2524-21-0x0000000077A50000-0x0000000077BF9000-memory.dmp

Filesize
1.7MB

Download
memory/2524-22-0x0000000077C40000-0x0000000077D16000-memory.dmp

Filesize
856KB

Download
memory/2524-23-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads