guloader | c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe
Size

678KB
MD5

7d137e6d226fbac1929470bad2e491a4
SHA1

8ade719638ad770b75f056515a9ba9b002e173cc
SHA256

c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b
SHA512

94ac28a918371eef7db0b87724a95f802fb8f50ad02372ae71b1c75c283bb51d714395c8ac19c05d20362b3756f66227c0354c5da135844341ee36603f4c30e8
SSDEEP

12288:FLTA8PHO5mU0It6qqHfB3VhOR+p67OhZv2SI3u:9TA8PO5mU16/HtjDhZH

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5864	powershell.exe
1512	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5864 set thread context of 1512	5864	powershell.exe	98

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\navlebeskuer\candelabrums.lnk	c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\immaterialistic.man	c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe
File opened for modification	C:\Windows\resources\sylvies\skarksens.ini	c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe
File opened for modification	C:\Windows\Fonts\quietened\laar.Key219	c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe
5864	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5864	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5864	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 5864	4108	c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe	92
PID 4108 wrote to memory of 5864	4108	c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe	92
PID 4108 wrote to memory of 5864	4108	c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe	92
PID 5864 wrote to memory of 4920	5864	powershell.exe	95
PID 5864 wrote to memory of 4920	5864	powershell.exe	95
PID 5864 wrote to memory of 4920	5864	powershell.exe	95
PID 5864 wrote to memory of 1512	5864	powershell.exe	98
PID 5864 wrote to memory of 1512	5864	powershell.exe	98
PID 5864 wrote to memory of 1512	5864	powershell.exe	98
PID 5864 wrote to memory of 1512	5864	powershell.exe	98
PID 5864 wrote to memory of 1512	5864	powershell.exe	98

C:\Users\Admin\AppData\Local\Temp\c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe
"C:\Users\Admin\AppData\Local\Temp\c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -windowstyle hidden "$Archurger=Get-Content 'C:\Users\Admin\AppData\Roaming\enomaniac\Biomolecule\Shopmaid.Gra';$Ervin=$Archurger.SubString(62607,3);.$Ervin($Archurger)"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
    3⤵
    PID:4920
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwjf1dej.32x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\enomaniac\Biomolecule\Shopmaid.Gra

Filesize
61KB

MD5
d003bc3b0862bfceec3a0869b7872b8a

SHA1
477a3475ffe393390c6faf530887d0d162662feb

SHA256
994c3a38ec25e17024e4260571b946d006aac11fcceb754bc68e18d13c394b51

SHA512
ae2a0a61e7d03afd55ede91c0712d89fa9b4504ac9b5db23a7e5f30d8a1fb226e71e9c6383bd1ec55b15cef61e952124b44f77cafd74aa5af4db6d7a92dab88a

Download Submit
C:\Users\Admin\AppData\Roaming\enomaniac\Biomolecule\diktionerne.Vis

Filesize
321KB

MD5
d4d2d97c9182b359fa8cc28fba4cb5f8

SHA1
93c12c72a585db9d5a2f9316437b75d652209bbe

SHA256
9c9b2adabaaca93b0da17d0c8562b3a22db406c1e3ba0a13b39932b848418d78

SHA512
e1ea667cbf530fcea7d7f13bb6c5cee3a0759403034b27754576b9a8f9db7bd5e6d2b68460728b16325d919133349ade192b2755b80413ff26b51cb3befba953

Download Submit
memory/1512-104-0x0000000002260000-0x0000000004825000-memory.dmp

Filesize
37.8MB

Download
memory/1512-102-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1512-97-0x0000000077838000-0x0000000077839000-memory.dmp

Filesize
4KB

Download
memory/1512-96-0x00000000777B1000-0x00000000778D1000-memory.dmp

Filesize
1.1MB

Download
memory/1512-91-0x0000000002260000-0x0000000004825000-memory.dmp

Filesize
37.8MB

Download
memory/5864-82-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-85-0x0000000008780000-0x000000000AD45000-memory.dmp

Filesize
37.8MB

Download
memory/5864-71-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

Filesize
120KB

Download
memory/5864-72-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/5864-73-0x0000000006E80000-0x0000000006F16000-memory.dmp

Filesize
600KB

Download
memory/5864-74-0x00000000061E0000-0x00000000061FA000-memory.dmp

Filesize
104KB

Download
memory/5864-75-0x0000000006230000-0x0000000006252000-memory.dmp

Filesize
136KB

Download
memory/5864-76-0x00000000074D0000-0x0000000007A74000-memory.dmp

Filesize
5.6MB

Download
memory/5864-60-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/5864-78-0x0000000008100000-0x000000000877A000-memory.dmp

Filesize
6.5MB

Download
memory/5864-80-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-81-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-53-0x0000000002710000-0x0000000002746000-memory.dmp

Filesize
216KB

Download
memory/5864-59-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/5864-84-0x0000000007250000-0x0000000007254000-memory.dmp

Filesize
16KB

Download
memory/5864-66-0x0000000005740000-0x0000000005A94000-memory.dmp

Filesize
3.3MB

Download
memory/5864-86-0x0000000008780000-0x000000000AD45000-memory.dmp

Filesize
37.8MB

Download
memory/5864-87-0x0000000073CB0000-0x0000000074460000-memory.dmp

Filesize
7.7MB

Download
memory/5864-88-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-89-0x00000000777B1000-0x00000000778D1000-memory.dmp

Filesize
1.1MB

Download
memory/5864-90-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-58-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/5864-92-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-94-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-95-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-55-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-56-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/5864-101-0x0000000008780000-0x000000000AD45000-memory.dmp

Filesize
37.8MB

Download
memory/5864-57-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/5864-54-0x0000000073CB0000-0x0000000074460000-memory.dmp

Filesize
7.7MB

Download
memory/5864-109-0x0000000073CB0000-0x0000000074460000-memory.dmp

Filesize
7.7MB

Download
memory/5864-110-0x0000000008780000-0x000000000AD45000-memory.dmp

Filesize
37.8MB

Download