guloader | 7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edba

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10c6429825adaba12c34696a8ff00879b2abbb88.exe
Size

254KB
MD5

ab5050f0b4b71352722a6122c8107f83
SHA1

10c6429825adaba12c34696a8ff00879b2abbb88
SHA256

7da5b2207cf789cf6807b6cc3373048cbc951d7fd09ca8fb858693cfa5f5edba
SHA512

ad2608ab646b697504286a909b1f3f454195ba527baa3a27f293f74464a0ca81aac635251f9c8cda2cf9f08650377026f5f7d1fddaa21f4573938c0f2671b8d0
SSDEEP

6144:QQLFhcSHzlojz8oz64NGsj7y78a/YstUX:1FaSRcWCGJz/tW

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	10c6429825adaba12c34696a8ff00879b2abbb88.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	10c6429825adaba12c34696a8ff00879b2abbb88.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	10c6429825adaba12c34696a8ff00879b2abbb88.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2196	10c6429825adaba12c34696a8ff00879b2abbb88.exe
688	10c6429825adaba12c34696a8ff00879b2abbb88.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 688	2196	10c6429825adaba12c34696a8ff00879b2abbb88.exe	28

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\alfaquins.ini	10c6429825adaba12c34696a8ff00879b2abbb88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2196	10c6429825adaba12c34696a8ff00879b2abbb88.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 688	2196	10c6429825adaba12c34696a8ff00879b2abbb88.exe	28
PID 2196 wrote to memory of 688	2196	10c6429825adaba12c34696a8ff00879b2abbb88.exe	28
PID 2196 wrote to memory of 688	2196	10c6429825adaba12c34696a8ff00879b2abbb88.exe	28
PID 2196 wrote to memory of 688	2196	10c6429825adaba12c34696a8ff00879b2abbb88.exe	28
PID 2196 wrote to memory of 688	2196	10c6429825adaba12c34696a8ff00879b2abbb88.exe	28

C:\Users\Admin\AppData\Local\Temp\10c6429825adaba12c34696a8ff00879b2abbb88.exe
"C:\Users\Admin\AppData\Local\Temp\10c6429825adaba12c34696a8ff00879b2abbb88.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\10c6429825adaba12c34696a8ff00879b2abbb88.exe
  "C:\Users\Admin\AppData\Local\Temp\10c6429825adaba12c34696a8ff00879b2abbb88.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\0409\alfaquins.ini

Filesize
42B

MD5
0f9aaea120fd9352cf55694c9500e138

SHA1
bc89504eadbd05cd616470145910a1d5b66c631e

SHA256
24966d03a28e75c5f10be3d0a75a6a2469d88a82cb32c9c8272657f096a89244

SHA512
1f21aa429773c03679d3593c5c3983ac3e4c57c8041a9e6b320bfff4330ac2bcff7bf246481c0a05e27966d24e410eaa3555041eb35036c9bb0ed120831811b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2158.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/688-225-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/688-226-0x0000000001470000-0x0000000002D80000-memory.dmp

Filesize
25.1MB

Download
memory/688-228-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/688-232-0x0000000001470000-0x0000000002D80000-memory.dmp

Filesize
25.1MB

Download
memory/2196-221-0x0000000003FC0000-0x00000000058D0000-memory.dmp

Filesize
25.1MB

Download
memory/2196-222-0x00000000776D0000-0x0000000077879000-memory.dmp

Filesize
1.7MB

Download
memory/2196-223-0x00000000778C0000-0x0000000077996000-memory.dmp

Filesize
856KB

Download
memory/2196-224-0x0000000074BF0000-0x0000000074BF6000-memory.dmp

Filesize
24KB

Download
memory/2196-227-0x0000000003FC0000-0x00000000058D0000-memory.dmp

Filesize
25.1MB

Download