guloader | 95e217da4c184170c705e9ef317b5d8333713f4f91435d0964e0e2cea03100ab

Analysis

max time kernel
48s
max time network
46s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe
Size

615KB
MD5

174dcf32138060240e094f9faefecfc5
SHA1

0b271c152cfda5ba57273967d8729f9cd755aa12
SHA256

14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e
SHA512

f63c8bae8020d359f61e7d09af25ae5cace4225fcaf492518ad64ce87886eb29aba27122a2dfbfe330d0b344e974215daf0f9e698cf2c2f621a804f5fa68874a
SSDEEP

12288:/XWG6OT+LTOaWT9N4XhgggCwulapByjZhO838sSuEloIkxFA:/XWsTmWT9N4xgghblapB2hz8sSuEoIz

Score

10^/10

guloader downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1972 powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Unfeathered187 = "%Gisnes% -windowstyle minimized $Nikethamide105=(Get-ItemProperty -Path 'HKCU:\\Bubber\\').Svartider;%Gisnes% ($Nikethamide105)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2712 wab.exe
2712 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1972 powershell.exe
2712 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1972 set thread context of 2712 1972 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1416 reg.exe

pid	process
2712	wab.exe
2712	wab.exe

description	pid	process	target process
PID 1972 set thread context of 2712	1972	powershell.exe	wab.exe

pid	process
1416	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1972 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1972 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1972	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2744 wrote to memory of 1972	2744	14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe	powershell.exe
PID 2744 wrote to memory of 1972	2744	14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe	powershell.exe
PID 2744 wrote to memory of 1972	2744	14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe	powershell.exe
PID 2744 wrote to memory of 1972	2744	14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe	powershell.exe
PID 1972 wrote to memory of 2412	1972	powershell.exe	cmd.exe
PID 1972 wrote to memory of 2412	1972	powershell.exe	cmd.exe
PID 1972 wrote to memory of 2412	1972	powershell.exe	cmd.exe
PID 1972 wrote to memory of 2412	1972	powershell.exe	cmd.exe
PID 1972 wrote to memory of 2712	1972	powershell.exe	wab.exe
PID 1972 wrote to memory of 2712	1972	powershell.exe	wab.exe
PID 1972 wrote to memory of 2712	1972	powershell.exe	wab.exe
PID 1972 wrote to memory of 2712	1972	powershell.exe	wab.exe
PID 1972 wrote to memory of 2712	1972	powershell.exe	wab.exe
PID 1972 wrote to memory of 2712	1972	powershell.exe	wab.exe
PID 2712 wrote to memory of 692	2712	wab.exe	cmd.exe
PID 2712 wrote to memory of 692	2712	wab.exe	cmd.exe
PID 2712 wrote to memory of 692	2712	wab.exe	cmd.exe
PID 2712 wrote to memory of 692	2712	wab.exe	cmd.exe
PID 692 wrote to memory of 1416	692	cmd.exe	reg.exe
PID 692 wrote to memory of 1416	692	cmd.exe	reg.exe
PID 692 wrote to memory of 1416	692	cmd.exe	reg.exe
PID 692 wrote to memory of 1416	692	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe
"C:\Users\Admin\AppData\Local\Temp\14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Retstillingers=Get-Content 'C:\Users\Admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Upgather\Vektoriel.Eks';$Disengagering=$Retstillingers.SubString(32120,3);.$Disengagering($Retstillingers)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2412

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unfeathered187" /t REG_EXPAND_SZ /d "%Gisnes% -windowstyle minimized $Nikethamide105=(Get-ItemProperty -Path 'HKCU:\Bubber\').Svartider;%Gisnes% ($Nikethamide105)"
4⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Unfeathered187" /t REG_EXPAND_SZ /d "%Gisnes% -windowstyle minimized $Nikethamide105=(Get-ItemProperty -Path 'HKCU:\Bubber\').Svartider;%Gisnes% ($Nikethamide105)"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dda16d2082c42d5fff20ef3235f77b53

SHA1
5c914895f658e6cf998d32eae8efef5b668d3ec0

SHA256
70452ab34a56ea868b1d51f24f465805fcc4af073053bd408efd07e620266abc

SHA512
321c943dd9bb95cf6591e6d0c6240e6a1afe47ddaf227399146b172112e14d7339c44e24c10d66fa0d60e39831eff2f8692d83072384f7c25822d478ac401cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41E2.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar42C4.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Upgather\Vektoriel.Eks
Filesize
50KB

MD5
5333a87a8aa86ef14e3cefc2162de69e

SHA1
2dbb497de16ff8a4d855e53c33cb56d62b6dcd81

SHA256
4ce60f9464a4737ebc1ae2dd8b98653c410193a28896f1d1110fc0173a395d56

SHA512
d9ead59794ccc243cccb13d6c11aea90ea402451d38c012ffb10a41fa7ff35f3f24582ad34318dacbce5af7f1480c8a016fdba82efe77522e22181c534ee5221

Download Submit
C:\Users\Admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Upgather\Vidensbankerne.Del
Filesize
307KB

MD5
f48812c568ca9e001c50273a63d8691e

SHA1
af156772b118550bad9821c4bc466f21f5aa1d83

SHA256
f9cd32e7402c6fa5a8d96299a9a810f7e65c7f2d42208459e79b0db098b35d6d

SHA512
d02cd72ff731488ee609900b2705b89b86c471f5ee3382b8ecda122e7d161cfc6f07a41131258486f6087d7b73a0b726ad2c50c54da17d32292d5984ea5d004a

Download Submit
memory/1972-21-0x00000000740C1000-0x00000000740C2000-memory.dmp

Filesize
4KB

Download
memory/1972-29-0x0000000006880000-0x0000000007E0A000-memory.dmp

Filesize
21.5MB

Download
memory/1972-25-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-24-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-23-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-22-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-125-0x00000000740C0000-0x000000007466B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-124-0x0000000001E50000-0x00000000033DA000-memory.dmp

Filesize
21.5MB

Download