Malware Analysis Report

2025-06-16 03:44

Sample ID 240325-pp46jafe28
Target shipping documents_pdf.exe
SHA256 32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482

Threat Level: Known bad

The file shipping documents_pdf.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 12:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 12:31

Reported

2024-03-25 12:33

Platform

win7-20240221-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2236 set thread context of 1944 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\svbenes.lnk C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A
File opened for modification C:\Program Files (x86)\svbenes.lnk C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp

Files

C:\Program Files (x86)\svbenes.lnk

MD5 e46bab0f6f023d2a3fa6606b7f150b7c
SHA1 f2b4dd7317c8f08976b06e58ea95cde705b22a99
SHA256 ddb449bc2845a618168cabd8690e030f57bf3221b4d8f46d55abd28ac02f55d0
SHA512 b9651256a2b3572587cd7892338720b16740b3ab05ac71eea81eae14ba6cdad1d58c6331cba5eeb4fe109350fc63f9fa5a4b8a5fa768d107ddc49a408a2d2cc9

\Users\Admin\AppData\Local\Temp\nso9DB8.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 779b80f06dc17e0308cd0a7c5098b4a8
SHA1 c951e91e8d44f20219c1888107b084c1ea7e82a0
SHA256 169b4ba95045bdca9d7e95eb057ad0efb0549fac78959a05a27af5640470d3ac
SHA512 ae1fe68c0188be4da7055b3c452a3aef26fdfeddecd7b745f97779da2d31ae8d94c6f98c0bfef11e2ca40ea02f414e7c6394a2e7077137481358041f9ae16031

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 98d7d71899b69bd6c8e6a37c9b00eb66
SHA1 cfb50ec65212d957e1dada3e1f4ef412e4140322
SHA256 21b3c141417f1b236a826ac3484fead173f3de9393971636d816089740fe6261
SHA512 4c5815ed873b647eae7e06914d34c6fddaaff6ccab448969c0e4bf53d05a93391d6ecba0a72c21bf77da5b0387d7cd5b0cb02eef4afd397eb0e1da94cdaf364b

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 31c6763348290b55937c299798397fc4
SHA1 e3fb904fb7d0c4783d6eadd27cbb6490d9dbdb62
SHA256 54f670713e05b4255779429774d8449e432390becf3059efa49b2d48e34ead37
SHA512 f79cdbada225aa94c959d4be3a448194da1b209b47adb693a94c78b50cd9cd2cefb13028525f10a46ffc0fab6fa0e85245ce3a0e3c01d1b657c5557dcd16e383

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 c214d3d493e42611d47a33fafb39bc06
SHA1 ab6d2d1e65bd5a5842350a0098c3f36627a4b59d
SHA256 1ef2f84d2867769f0c9754089267b1b5cb8c372aef14de4a6f41da07966fd3d2
SHA512 218cdb58f9d3e7e85f6e19cf9981255b374b9f641c02cc392976e7a0120ae4d2c8f9762f4d2711350b8c3612be69e8512cc091d37d33deb8cb265974f7ac4b1b

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 7c9994efba81832c70af271c1579e0a6
SHA1 3a1cce125bc46a691317257b23f134bc18720621
SHA256 6a6e175a7ca2f7a483b70f797aab60749f9a8f911511a4cc2fb669cb04ed7530
SHA512 5021ef22848dd750ce8f866d2f9ea8154dba5bab373578de9aaf26189898d89f32355de396e4e444621d78e1284690304c3d459e9721a246ce795f11b10f1c56

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 fe75d42e640aa75505ec138c70140276
SHA1 06e551b4c6ebcae0123c906c29acf97fc81c8f41
SHA256 e82158dea2e25b8f6dd0ba3b714f35af07645243565bb340c34fd63288281f24
SHA512 6589636c8ee71c6fceae8cf3f26ba20448dfb0a25f28e8f52493dc18ac18e5fb55a0c977c5ed7db9d0ce00e7709d5a7c06d92e89aa3ed8044a61052daae02394

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 9c847f1ad21f08842521a173b9d00432
SHA1 d987cb50a957666f4089f604d34a7be0ee2a17f7
SHA256 63c28f692fcc1bc08347f6b1cdc814602a08967fe3a64b967cea3ada69af2a44
SHA512 c90ba042249970d2d85f40cc60f765d46d55127bb398839f2d2a126e47762e1c75a646ae414b33e20d5b46c63be2962539d6b42027d05ffc8d0fe2830fd8d359

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 614ecfc851e7e863309121f8137f266f
SHA1 c6f0fe87be453ef9ccc55c724a9a0a8f73fdeffd
SHA256 757c044693441357d1e3efe2be7385f888ee33f80bb8d57b01f49ffbc420fd63
SHA512 9581acdafa8b36610845552ea6c24954efa585dff300f56d72e26d9536e73872b05fc1d7e53a66d3e663702554eff2c3683fae2589f1c7eb2650584b43a1b781

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 ea9cb56bf8b284444ac0d5f604e323c6
SHA1 c2fe4d26b795e26615d7597df3ba1cbd83547248
SHA256 16607c7901e408b5e4367e8da3b8dfc51d0b47e110e3dc291a9d0951595443a6
SHA512 359141fd551a91bf8c306e655f8efcfd98f3c1f1058a62f2575e420731ceb175dc7cafe25ffca64e963517aaf756f1cd062f0aa2e20f01af1427a0ecd9d5a95b

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 38c6f7822cd89991db6fccc5b04b96c9
SHA1 cec31a690a8d9395d59946690f7528ce5f5e0114
SHA256 2eba686a57cb8d9b9633c14fdb01b45f88dda41e4c1b5ad9e04c76342d028146
SHA512 a6cb93d984fe69f4f4a2bda9001dac25897e6127ccb848762999a9eb8d18d69fbda7308eb1e8d32f9b9e94678b874dcede10066980a56333d8a2d19a5a7a0db8

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 2036172597e1b4963fd3b7e13d40673a
SHA1 7e0bf45ec820a491bba227bf40ffd241f7c64dd0
SHA256 884a935a2c03c220dfeb62bea02d289069c5f84e3dc6cabe4c606e884362790a
SHA512 e5c74658515b7b9a976b1d70d133ff1faad87336e28827b91f07fa33a9edee9d9dc235b8625f066340030a541fe329d4ba85ec8c8c1991ff78284d638fc4279b

C:\Users\Admin\AppData\Local\Temp\Setup.ini

MD5 a5abbcb8df7be9fb106cf4b866de5789
SHA1 3ade531f3aee7c2ed0d3a99eeb9ddf81b37e1f64
SHA256 f3e010af71ac7ee31d4e97940983e9d7b4860f35daae17da8aac46f17b3ec13f
SHA512 18d4860fd132e0bdecae35743d2c065c7e17bf1c38ed0199a59738100eec4fe820832b4a99e88a212e57b05d85bbca5a3a642a94d840674438c1f70b766f835f

memory/2236-11785-0x0000000003970000-0x0000000004853000-memory.dmp

memory/2236-11787-0x0000000077080000-0x0000000077156000-memory.dmp

memory/2236-11786-0x0000000076E90000-0x0000000077039000-memory.dmp

memory/2236-11788-0x0000000010000000-0x0000000010006000-memory.dmp

memory/1944-11789-0x0000000000400000-0x0000000001462000-memory.dmp

memory/2236-11790-0x0000000003970000-0x0000000004853000-memory.dmp

memory/1944-11791-0x0000000001470000-0x0000000002353000-memory.dmp

memory/1944-11792-0x0000000076E90000-0x0000000077039000-memory.dmp

memory/1944-11793-0x00000000770B6000-0x00000000770B7000-memory.dmp

memory/1944-11794-0x0000000000400000-0x0000000001462000-memory.dmp

memory/1944-11820-0x0000000001470000-0x0000000002353000-memory.dmp

memory/1944-11821-0x0000000077080000-0x0000000077156000-memory.dmp

memory/2236-11830-0x0000000003970000-0x0000000004853000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 12:31

Reported

2024-03-25 12:33

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4976 set thread context of 4276 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\svbenes.lnk C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A
File opened for modification C:\Program Files (x86)\svbenes.lnk C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 128.230.140.95.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Program Files (x86)\svbenes.lnk

MD5 8094999d00f84d2225ad7cb9b96f69ff
SHA1 8099edfd44483f38ec8d2b37693d6b2723ad6234
SHA256 cedc18ac6e659d826067aec61509af5ae2f6cecb806f56db25cc31660ae302f9
SHA512 4c25639f28dc8505e799691bf7fe823f1666ba7a618da123d25382a3f79998f60ee988cd7e57d2b4b0a6a33c8aebc04cf2466a02adeafc6a5644ac90d4950897

C:\Users\Admin\AppData\Local\Temp\nst904B.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

memory/4976-11784-0x00000000049C0000-0x00000000058A3000-memory.dmp

memory/4976-11785-0x0000000077831000-0x0000000077951000-memory.dmp

memory/4976-11786-0x0000000010000000-0x0000000010006000-memory.dmp

memory/4276-11787-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4276-11788-0x0000000001660000-0x0000000002543000-memory.dmp

memory/4976-11789-0x00000000049C0000-0x00000000058A3000-memory.dmp

memory/4276-11790-0x00000000778B8000-0x00000000778B9000-memory.dmp

memory/4276-11791-0x00000000778D5000-0x00000000778D6000-memory.dmp

memory/4276-11804-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4276-11806-0x0000000001660000-0x0000000002543000-memory.dmp

memory/4276-11807-0x0000000077831000-0x0000000077951000-memory.dmp

memory/4976-11812-0x00000000049C0000-0x00000000058A3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-25 12:31

Reported

2024-03-25 12:33

Platform

win7-20240221-en

Max time kernel

118s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 228

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-25 12:31

Reported

2024-03-25 12:33

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3888 wrote to memory of 3684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3888 wrote to memory of 3684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3888 wrote to memory of 3684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3684 -ip 3684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A