guloader | dcf86088586837cd7d690592bcd0a38c7bfd807b22b0a975da1a8773e551983a

Analysis

max time kernel
128s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-02-2024 09:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AWB-RO-202644066004734534543534534563456784576373.exe
Size

704KB
MD5

2bf4f7c342a2d3e07f3685b2334f4749
SHA1

ce2fc2a2899b4302ce2d55f732039240cc70529b
SHA256

dcf86088586837cd7d690592bcd0a38c7bfd807b22b0a975da1a8773e551983a
SHA512

b134b95882e7c67c636408fd874ab22f5c15e1965c525cf576df0bf45c56b0b7401c4e616e412682632174c0ac2ac51c3f73dd831e974181da548623ca311c82
SSDEEP

12288:PK5yuMYw7lskuR1fi+6wFF0JC2RTfuBZL+HlLwxOiMCyINCj:C5XMYwZluR10bJ4uHlLhlIkj

Score

10^/10

guloader remcos downloader persistence rat

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Loads dropped DLL 1 IoCs

pid	Process
1860	AWB-RO-202644066004734534543534534563456784576373.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Sheephead.exe"	wab.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\devastate.ini	AWB-RO-202644066004734534543534534563456784576373.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
752	wab.exe
752	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1860	AWB-RO-202644066004734534543534534563456784576373.exe
752	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1860 set thread context of 752	1860	AWB-RO-202644066004734534543534534563456784576373.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\hamus.ini	AWB-RO-202644066004734534543534534563456784576373.exe
File opened for modification	C:\Program Files (x86)\duodecimos.ini	AWB-RO-202644066004734534543534534563456784576373.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\folders\Sequenser.ini	AWB-RO-202644066004734534543534534563456784576373.exe
File opened for modification	C:\Windows\Forglemmes130\coatee.ini	AWB-RO-202644066004734534543534534563456784576373.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1860	AWB-RO-202644066004734534543534534563456784576373.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
752	wab.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 752	1860	AWB-RO-202644066004734534543534534563456784576373.exe	30
PID 1860 wrote to memory of 752	1860	AWB-RO-202644066004734534543534534563456784576373.exe	30
PID 1860 wrote to memory of 752	1860	AWB-RO-202644066004734534543534534563456784576373.exe	30
PID 1860 wrote to memory of 752	1860	AWB-RO-202644066004734534543534534563456784576373.exe	30
PID 1860 wrote to memory of 752	1860	AWB-RO-202644066004734534543534534563456784576373.exe	30
PID 1860 wrote to memory of 752	1860	AWB-RO-202644066004734534543534534563456784576373.exe	30

C:\Users\Admin\AppData\Local\Temp\AWB-RO-202644066004734534543534534563456784576373.exe
"C:\Users\Admin\AppData\Local\Temp\AWB-RO-202644066004734534543534534563456784576373.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Program Files (x86)\windows mail\wab.exe
  "C:\Users\Admin\AppData\Local\Temp\AWB-RO-202644066004734534543534534563456784576373.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Smklaasens.lnk

Filesize
1000B

MD5
4d61057050039c3744596f3ab3b7b7ca

SHA1
9f077b75ac6b1d7de7bb1f7ec03d1c3dcbad82e4

SHA256
1ec6238f963977cc7591edf5be20fb7ba0bbba0ad84f71d064bd55d796621f14

SHA512
06e6c79888480d2b8b0719d340e42b6dd1ff12091a01e989060efc40d407283d843fdcfa0d87fe393ac7bd031484a602748c38dcdfdee105884a7f50d8c697ae

Download Submit
\Users\Admin\AppData\Local\Temp\nso8AD3.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/752-301-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-279-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-267-0x00000000013E0000-0x000000000419D000-memory.dmp

Filesize
45.7MB

Download
memory/752-268-0x0000000077390000-0x0000000077466000-memory.dmp

Filesize
856KB

Download
memory/752-269-0x00000000773C6000-0x00000000773C7000-memory.dmp

Filesize
4KB

Download
memory/752-271-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-273-0x0000000077390000-0x0000000077466000-memory.dmp

Filesize
856KB

Download
memory/752-274-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-272-0x00000000013E0000-0x000000000419D000-memory.dmp

Filesize
45.7MB

Download
memory/752-275-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-276-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-277-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-278-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-302-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-280-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-281-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-282-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-283-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-284-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-285-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-286-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-287-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-288-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-290-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-291-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-292-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-293-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-296-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-297-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-298-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-303-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-299-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-306-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-266-0x00000000771A0000-0x0000000077349000-memory.dmp

Filesize
1.7MB

Download
memory/752-300-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-304-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-305-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-265-0x00000000013E0000-0x000000000419D000-memory.dmp

Filesize
45.7MB

Download
memory/752-307-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-308-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-309-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-310-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-311-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-312-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-313-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-315-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-316-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-317-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-318-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-319-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-320-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-321-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-322-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-323-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-324-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-325-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-326-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-327-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-328-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-329-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/752-330-0x0000000000370000-0x00000000013D2000-memory.dmp

Filesize
16.4MB

Download
memory/1860-260-0x0000000003430000-0x00000000061ED000-memory.dmp

Filesize
45.7MB

Download
memory/1860-261-0x0000000003430000-0x00000000061ED000-memory.dmp

Filesize
45.7MB

Download
memory/1860-262-0x00000000771A0000-0x0000000077349000-memory.dmp

Filesize
1.7MB

Download
memory/1860-263-0x0000000077390000-0x0000000077466000-memory.dmp

Filesize
856KB

Download
memory/1860-264-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads