guloader | 8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27

General

Target

8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe
Size

987KB
MD5

189590b2755ed6f134d8fe2c05124926
SHA1

e492eb975348e50a32c792d26441cc00912987e7
SHA256

8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27
SHA512

bf1280546ff4dacddd1b5d08a3a447bb8ccbe2e7c974654e43a266507d6c82080b6f802e4e96ef9f6c5dc0dbc43df64782d66d99e134797971427e88c32219fb
SSDEEP

24576:gIqqULDjF7yCOrJHFTuvMJbmhQU/YydIE5Lt6:9sxANuvMxmhB/Yly6

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\mediates = "%Linieringernes% -windowstyle minimized $Localisers=(Get-ItemProperty -Path 'HKCU:\\Officialvirksomhed\\').pshaws;%Linieringernes% ($Localisers)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2040 wab.exe
2040 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

844 powershell.exe
2040 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 844 set thread context of 2040 844 powershell.exe wab.exe

pid	process
2040	wab.exe
2040	wab.exe

pid	process
844	powershell.exe
2040	wab.exe

description	pid	process	target process
PID 844 set thread context of 2040	844	powershell.exe	wab.exe

Drops file in Program Files directory 1 IoCs

Processes:

8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Levantine.ini	8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe

Drops file in Windows directory 2 IoCs

Processes:

8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\tashlik.ini	8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe
File opened for modification	C:\Windows\resources\0409\marmoreret.ini	8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

640 reg.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exe

pid process

844 powershell.exe
844 powershell.exe
844 powershell.exe
844 powershell.exe
844 powershell.exe
844 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

844 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 844 powershell.exe

pid	process
640	reg.exe

pid	process
844	powershell.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe

pid	process
844	powershell.exe

description	pid	process
Token: SeDebugPrivilege	844	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 844	1992	8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe	powershell.exe
PID 1992 wrote to memory of 844	1992	8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe	powershell.exe
PID 1992 wrote to memory of 844	1992	8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe	powershell.exe
PID 1992 wrote to memory of 844	1992	8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe	powershell.exe
PID 844 wrote to memory of 2848	844	powershell.exe	cmd.exe
PID 844 wrote to memory of 2848	844	powershell.exe	cmd.exe
PID 844 wrote to memory of 2848	844	powershell.exe	cmd.exe
PID 844 wrote to memory of 2848	844	powershell.exe	cmd.exe
PID 844 wrote to memory of 2040	844	powershell.exe	wab.exe
PID 844 wrote to memory of 2040	844	powershell.exe	wab.exe
PID 844 wrote to memory of 2040	844	powershell.exe	wab.exe
PID 844 wrote to memory of 2040	844	powershell.exe	wab.exe
PID 844 wrote to memory of 2040	844	powershell.exe	wab.exe
PID 844 wrote to memory of 2040	844	powershell.exe	wab.exe
PID 2040 wrote to memory of 692	2040	wab.exe	cmd.exe
PID 2040 wrote to memory of 692	2040	wab.exe	cmd.exe
PID 2040 wrote to memory of 692	2040	wab.exe	cmd.exe
PID 2040 wrote to memory of 692	2040	wab.exe	cmd.exe
PID 692 wrote to memory of 640	692	cmd.exe	reg.exe
PID 692 wrote to memory of 640	692	cmd.exe	reg.exe
PID 692 wrote to memory of 640	692	cmd.exe	reg.exe
PID 692 wrote to memory of 640	692	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe
"C:\Users\Admin\AppData\Local\Temp\8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Forstbotanikkens=Get-Content 'C:\Users\Admin\AppData\Local\nervier\Estampede\sipunculacean\Entreprenren.Out';$Vaabentypers=$Forstbotanikkens.SubString(61389,3);.$Vaabentypers($Forstbotanikkens)"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
3⤵
PID:2848

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "mediates" /t REG_EXPAND_SZ /d "%Linieringernes% -windowstyle minimized $Localisers=(Get-ItemProperty -Path 'HKCU:\Officialvirksomhed\').pshaws;%Linieringernes% ($Localisers)"
4⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "mediates" /t REG_EXPAND_SZ /d "%Linieringernes% -windowstyle minimized $Localisers=(Get-ItemProperty -Path 'HKCU:\Officialvirksomhed\').pshaws;%Linieringernes% ($Localisers)"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7f1dc33ae031d0e0c68f515960b6434c

SHA1
041300fe005e864bf38d8188937eb7ebdd6a4c4f

SHA256
758d63ea03873376d2d9332ed3b6bcc1f3e077748025bb011cf065d78a33c496

SHA512
8bcf6e0e5dbf1e582dec1c5e1164c25415385963a291cb2d716351611f9ecd32f4ea4e449864f6e9d3e53828de6fd4211ec3ba25efe40367642b3bf55cfbb764

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab670F.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar687C.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\nervier\Estampede\sipunculacean\Entreprenren.Out
Filesize
60KB

MD5
030ce4392c4a8cc1b477bc3deeacb683

SHA1
8f36406d9572e6ccf966fb69c0934c234e0617e6

SHA256
7e9decd5f91e30b000266db010c2ad399bfd06f64ec43f48ca0f3bc36d69ca6c

SHA512
3ec59592857d073ea3f59cd5279fdd4d862ba0a102de7bb3f96db73b64af362c5f017802afe78cb5299a0185f406e4fec097c9986b74d591183ab2aba114e4f4

Download Submit
C:\Users\Admin\AppData\Local\nervier\Estampede\sipunculacean\Sammenrends.Sla
Filesize
295KB

MD5
3a62f30a51fea9390cd360b7f581c4b3

SHA1
afdb9cd054c757b7f65dc150ed2dbbf061f8fab2

SHA256
f990b58058ccb0cdf3f0f64c78c24b8f41f5228f90c823369e49decbdc791f05

SHA512
b25f81bc7c9c8e43027dff70c9d8ce5cc4c1a803abfc3c193ab80d638e5bbd22e6bb382266bcc69872185ea7ebe6bedc05125d04b7b7420b98e931e6d3ad098b

Download Submit
memory/844-23-0x0000000005520000-0x0000000005524000-memory.dmp

Filesize
16KB

Download
memory/844-19-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/844-24-0x0000000006740000-0x0000000007312000-memory.dmp

Filesize
11.8MB

Download
memory/844-25-0x0000000006740000-0x0000000007312000-memory.dmp

Filesize
11.8MB

Download
memory/844-26-0x00000000773A0000-0x0000000077549000-memory.dmp

Filesize
1.7MB

Download
memory/844-27-0x0000000077590000-0x0000000077666000-memory.dmp

Filesize
856KB

Download
memory/844-28-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/844-122-0x0000000006740000-0x0000000007312000-memory.dmp

Filesize
11.8MB

Download
memory/844-30-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/844-17-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/844-16-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/844-18-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/844-34-0x0000000006740000-0x0000000007312000-memory.dmp

Filesize
11.8MB

Download
memory/844-21-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/2040-53-0x00000000003B0000-0x0000000001412000-memory.dmp

Filesize
16.4MB

Download
memory/2040-33-0x0000000077590000-0x0000000077666000-memory.dmp

Filesize
856KB

Download
memory/2040-32-0x00000000775C6000-0x00000000775C7000-memory.dmp

Filesize
4KB

Download
memory/2040-31-0x00000000773A0000-0x0000000077549000-memory.dmp

Filesize
1.7MB

Download
memory/2040-119-0x0000000077590000-0x0000000077666000-memory.dmp

Filesize
856KB

Download
memory/2040-120-0x0000000001420000-0x0000000001FF2000-memory.dmp

Filesize
11.8MB

Download
memory/2040-29-0x0000000001420000-0x0000000001FF2000-memory.dmp

Filesize
11.8MB

Download
memory/2040-124-0x00000000773A0000-0x0000000077549000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads