guloader | 01beeda976d48dc4c029032b0113fed68e00a2736cc03667c065f7bf7440eec2

General

Target

UMMAN İHRACAT AFR5641 910-1714 1633.exe
Size

503KB
MD5

bf56c567703447c78773f3e581a004db
SHA1

80ec3b7f7b5f7e2df367dff512b508a21c682111
SHA256

01beeda976d48dc4c029032b0113fed68e00a2736cc03667c065f7bf7440eec2
SHA512

b67e817ab691ab8257826b5a90fb7731801765b5e1299f1ee5235aa36065d082a04ca276c735eea0480a5e27382047b488227bd4e887a4176639cd64fd4c2f5b
SSDEEP

12288:fzA/ggggjlFZKqUVReLAu8xzRCf8CzQXX:U/ggggjHZbU5Po0CcXX

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Paaskelrdag% -windowstyle minimized $Sisies=(Get-ItemProperty -Path 'HKCU:\\Jomfruburenes192\\').Minnesingers;%Paaskelrdag% ($Sisies)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2868 wab.exe
2868 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

3020 powershell.exe
2868 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3020 set thread context of 2868 3020 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2724 reg.exe

pid	process
2868	wab.exe
2868	wab.exe

description	pid	process	target process
PID 3020 set thread context of 2868	3020	powershell.exe	wab.exe

pid	process
2724	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

3020 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3020 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3020	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

UMMAN İHRACAT AFR5641 910-1714 1633.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 1960 wrote to memory of 3020	1960	UMMAN İHRACAT AFR5641 910-1714 1633.exe	powershell.exe
PID 1960 wrote to memory of 3020	1960	UMMAN İHRACAT AFR5641 910-1714 1633.exe	powershell.exe
PID 1960 wrote to memory of 3020	1960	UMMAN İHRACAT AFR5641 910-1714 1633.exe	powershell.exe
PID 1960 wrote to memory of 3020	1960	UMMAN İHRACAT AFR5641 910-1714 1633.exe	powershell.exe
PID 3020 wrote to memory of 2636	3020	powershell.exe	cmd.exe
PID 3020 wrote to memory of 2636	3020	powershell.exe	cmd.exe
PID 3020 wrote to memory of 2636	3020	powershell.exe	cmd.exe
PID 3020 wrote to memory of 2636	3020	powershell.exe	cmd.exe
PID 3020 wrote to memory of 2868	3020	powershell.exe	wab.exe
PID 3020 wrote to memory of 2868	3020	powershell.exe	wab.exe
PID 3020 wrote to memory of 2868	3020	powershell.exe	wab.exe
PID 3020 wrote to memory of 2868	3020	powershell.exe	wab.exe
PID 3020 wrote to memory of 2868	3020	powershell.exe	wab.exe
PID 3020 wrote to memory of 2868	3020	powershell.exe	wab.exe
PID 2868 wrote to memory of 2404	2868	wab.exe	cmd.exe
PID 2868 wrote to memory of 2404	2868	wab.exe	cmd.exe
PID 2868 wrote to memory of 2404	2868	wab.exe	cmd.exe
PID 2868 wrote to memory of 2404	2868	wab.exe	cmd.exe
PID 2404 wrote to memory of 2724	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2724	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2724	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2724	2404	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\UMMAN İHRACAT AFR5641 910-1714 1633.exe
"C:\Users\Admin\AppData\Local\Temp\UMMAN İHRACAT AFR5641 910-1714 1633.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Escrow=Get-Content 'C:\Users\Admin\AppData\Roaming\skabiose\slgtsarvens\prender\Vitaminerne\Taksonomiske24\Trephining\Piloters\Recepternes.pen';$Unreverberating=$Escrow.SubString(58974,3);.$Unreverberating($Escrow)"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
3⤵
PID:2636

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Paaskelrdag% -windowstyle minimized $Sisies=(Get-ItemProperty -Path 'HKCU:\Jomfruburenes192\').Minnesingers;%Paaskelrdag% ($Sisies)"
4⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Paaskelrdag% -windowstyle minimized $Sisies=(Get-ItemProperty -Path 'HKCU:\Jomfruburenes192\').Minnesingers;%Paaskelrdag% ($Sisies)"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
75c3ba33e23b3bc3a14058a7df82fa17

SHA1
d37c8a70e80244d9d9567bad09d5546b88408c33

SHA256
0ce2abb3e24da067ef7885af46886cada11c74a47adc42a21a4b05dade7c8c42

SHA512
2081615fd4f53eca0234eb42fc01df14321d3984b84d7e935c840f19e44e7a0a095a831e4bc470e938d0455286a1e6dad87219474a49393d16c91eb33a83205d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFECB.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\skabiose\slgtsarvens\prender\Grouchy.Opl
Filesize
302KB

MD5
16c2e56de9c7bea98d12e66613e04e83

SHA1
f69245121a7b6a309f94c4dea5d765e90200c5f2

SHA256
2d7e6c0e1bcf0f9f4db98c9cc7576cb87017f3defdff31f5c83d3eb414e56e92

SHA512
0c04b63973824e5f0403f99120dd250c316483fc13b689d428a979d52ebabeceeaa81751e0aed5e83a8c1aedfb11990b2a38f9b84a82d7342d93b20b49901824

Download Submit
C:\Users\Admin\AppData\Roaming\skabiose\slgtsarvens\prender\Vitaminerne\Taksonomiske24\Trephining\Piloters\Recepternes.pen
Filesize
57KB

MD5
24e44ec408c4fb8b429adb0ee5869985

SHA1
1913f35995281fec0c9f586fd73d6a2f4e64a5ca

SHA256
cf1db414b602f31a34655222809a3542f96a8ffcf0e43dfdbc341192f8298f71

SHA512
76b152a80b4f9537c1cd3fb6209021040946c0e7c75fe907f9b95e9f4446b2f12ef54be9721de7b13929df0e1d555db38f470d43f9142b4c1b87e74768819425

Download Submit
memory/2868-101-0x00000000006E0000-0x0000000001742000-memory.dmp

Filesize
16.4MB

Download
memory/2868-27-0x0000000001750000-0x0000000003B7F000-memory.dmp

Filesize
36.2MB

Download
memory/2868-117-0x0000000077400000-0x00000000774D6000-memory.dmp

Filesize
856KB

Download
memory/2868-116-0x0000000001750000-0x0000000003B7F000-memory.dmp

Filesize
36.2MB

Download
memory/2868-31-0x0000000077436000-0x0000000077437000-memory.dmp

Filesize
4KB

Download
memory/2868-30-0x0000000077400000-0x00000000774D6000-memory.dmp

Filesize
856KB

Download
memory/2868-29-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/3020-16-0x0000000005DC0000-0x0000000005EC0000-memory.dmp

Filesize
1024KB

Download
memory/3020-18-0x00000000051B0000-0x00000000051B4000-memory.dmp

Filesize
16KB

Download
memory/3020-25-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/3020-26-0x0000000077400000-0x00000000774D6000-memory.dmp

Filesize
856KB

Download
memory/3020-22-0x00000000062E0000-0x000000000870F000-memory.dmp

Filesize
36.2MB

Download
memory/3020-28-0x00000000062E0000-0x000000000870F000-memory.dmp

Filesize
36.2MB

Download
memory/3020-21-0x00000000062E0000-0x000000000870F000-memory.dmp

Filesize
36.2MB

Download
memory/3020-20-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/3020-19-0x0000000073AC0000-0x000000007406B000-memory.dmp

Filesize
5.7MB

Download
memory/3020-24-0x0000000005DC0000-0x0000000005EC0000-memory.dmp

Filesize
1024KB

Download
memory/3020-8-0x0000000073AC0000-0x000000007406B000-memory.dmp

Filesize
5.7MB

Download
memory/3020-15-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/3020-12-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/3020-11-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/3020-10-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/3020-9-0x0000000073AC0000-0x000000007406B000-memory.dmp

Filesize
5.7MB

Download
memory/3020-119-0x00000000062E0000-0x000000000870F000-memory.dmp

Filesize
36.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads