Malware Analysis Report

2025-06-16 03:44

Sample ID 240325-precwsfe64
Target shipping documents_pdf.exe
SHA256 32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482
Tags
guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32f3ca938c2ce5e47648ad52af6d01eb49d3f03d47dd7b45b91f8102aca68482

Threat Level: Known bad

The file shipping documents_pdf.exe was found to be: Known bad.

Malicious Activity Summary

guloader downloader

Guloader,Cloudeye

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 12:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 12:33

Reported

2024-03-25 12:36

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2000 set thread context of 592 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\svbenes.lnk C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A
File opened for modification C:\Program Files (x86)\svbenes.lnk C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Program Files (x86)\svbenes.lnk

MD5 f05a6132a0e24d6c09afb5b4466bdec7
SHA1 40f265dba22f5d39f89a69619c6878cbedfcb560
SHA256 58ba460501e5000951d6bf5afd8a2da442599848dd74caeab96292d98775d662
SHA512 361581cdbb00afffaab25a7983b4ef8e39d5d8616786a83315922bd58652b5765cd3aa1d201ca894f9e6ac5ba0bb54f953a0aadea41aee440fc8ce6457246389

C:\Users\Admin\AppData\Local\Temp\nsz5E3F.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

memory/2000-11784-0x0000000004BD0000-0x0000000005AB3000-memory.dmp

memory/2000-11785-0x00000000773C1000-0x00000000774E1000-memory.dmp

memory/2000-11786-0x0000000010000000-0x0000000010006000-memory.dmp

memory/592-11787-0x0000000000400000-0x0000000001654000-memory.dmp

memory/592-11788-0x0000000001660000-0x0000000002543000-memory.dmp

memory/592-11789-0x0000000077448000-0x0000000077449000-memory.dmp

memory/592-11790-0x0000000077465000-0x0000000077466000-memory.dmp

memory/2000-11803-0x0000000004BD0000-0x0000000005AB3000-memory.dmp

memory/592-11804-0x0000000000400000-0x0000000001654000-memory.dmp

memory/592-11805-0x0000000001660000-0x0000000002543000-memory.dmp

memory/592-11807-0x00000000773C1000-0x00000000774E1000-memory.dmp

memory/2000-11812-0x0000000004BD0000-0x0000000005AB3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-25 12:33

Reported

2024-03-25 12:36

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-25 12:33

Reported

2024-03-25 12:36

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3424 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3424 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 184.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.184:80 tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 12:33

Reported

2024-03-25 12:36

Platform

win7-20240215-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

Signatures

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1772 set thread context of 568 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\svbenes.lnk C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A
File opened for modification C:\Program Files (x86)\svbenes.lnk C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents_pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp

Files

C:\Program Files (x86)\svbenes.lnk

MD5 7c55b0b2ee607af3fa8b4cb51ab328c7
SHA1 eb1fffe2ca44e01a91218d0bdf874df226f9fe3a
SHA256 753333752c7ccf892ce7362346ee452bb1021e57d1975b19e6a62ad7bf82b642
SHA512 141d591acbebd02f813063b4e2597a0cd9cc927da03bb1eba0d6efe9173057a5e4d6f28460ec5c4a26faffc9476aaeb83c6fe2bb1250523325f58c8c85f3db4e

\Users\Admin\AppData\Local\Temp\nso127A.tmp\System.dll

MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512 a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

memory/1772-11785-0x00000000041C0000-0x00000000050A3000-memory.dmp

memory/1772-11786-0x0000000077890000-0x0000000077A39000-memory.dmp

memory/1772-11787-0x0000000077A80000-0x0000000077B56000-memory.dmp

memory/1772-11788-0x0000000010000000-0x0000000010006000-memory.dmp

memory/568-11789-0x0000000000400000-0x0000000001462000-memory.dmp

memory/568-11790-0x0000000001470000-0x0000000002353000-memory.dmp

memory/568-11791-0x0000000077890000-0x0000000077A39000-memory.dmp

memory/568-11792-0x0000000077AB6000-0x0000000077AB7000-memory.dmp

memory/1772-11811-0x00000000041C0000-0x00000000050A3000-memory.dmp

memory/568-11812-0x0000000000400000-0x0000000001462000-memory.dmp

memory/568-11820-0x0000000001470000-0x0000000002353000-memory.dmp

memory/568-11821-0x0000000077A80000-0x0000000077B56000-memory.dmp

memory/1772-11830-0x00000000041C0000-0x00000000050A3000-memory.dmp