guloader | 345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Forligsmnd.exe
Size

461KB
MD5

789ee5c5300dc862faaf96475720f9bc
SHA1

0ef8137d58a07747fc9d4e5708241ff298734646
SHA256

345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793
SHA512

1f9ccdffa0ef09d89d0f024a5c698c0a4c6e3666353db38f5d3b48f49ca00544b038ca6db6069e3eee93f1c66d11467bde3ecf53148f2add1c7206e701ba2b23
SSDEEP

12288:vgEdJmlO0y9cb0crEM9wH056oDWLJuNdRey:bdJmlO995cAKwA6bLJuNKy

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
3952	Forligsmnd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	drive.google.com
32	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\astrofysikkernes.Prv	Forligsmnd.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3336	Forligsmnd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3952	Forligsmnd.exe
3336	Forligsmnd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 3336	3952	Forligsmnd.exe	90
PID 3336 set thread context of 3392	3336	Forligsmnd.exe	56
PID 3336 set thread context of 2428	3336	Forligsmnd.exe	95
PID 2428 set thread context of 3392	2428	winrshost.exe	56

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tronsalens\overreact.kog	Forligsmnd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	winrshost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
3336	Forligsmnd.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
3952	Forligsmnd.exe
3336	Forligsmnd.exe
3392	Explorer.EXE
3392	Explorer.EXE
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe
2428	winrshost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 3336	3952	Forligsmnd.exe	90
PID 3952 wrote to memory of 3336	3952	Forligsmnd.exe	90
PID 3952 wrote to memory of 3336	3952	Forligsmnd.exe	90
PID 3952 wrote to memory of 3336	3952	Forligsmnd.exe	90
PID 3952 wrote to memory of 3336	3952	Forligsmnd.exe	90
PID 3392 wrote to memory of 2428	3392	Explorer.EXE	95
PID 3392 wrote to memory of 2428	3392	Explorer.EXE	95
PID 3392 wrote to memory of 2428	3392	Explorer.EXE	95
PID 2428 wrote to memory of 4576	2428	winrshost.exe	105
PID 2428 wrote to memory of 4576	2428	winrshost.exe	105
PID 2428 wrote to memory of 4576	2428	winrshost.exe	105

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\Forligsmnd.exe
  "C:\Users\Admin\AppData\Local\Temp\Forligsmnd.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\Forligsmnd.exe
    "C:\Users\Admin\AppData\Local\Temp\Forligsmnd.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3336
- C:\Windows\SysWOW64\winrshost.exe
  "C:\Windows\SysWOW64\winrshost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst35E8.tmp\System.dll

Filesize
11KB

MD5
fc3772787eb239ef4d0399680dcc4343

SHA1
db2fa99ec967178cd8057a14a428a8439a961a73

SHA256
9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

SHA512
79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

Download Submit
C:\Users\Admin\Forbydende173.ini

Filesize
44B

MD5
91c4f98316bddadc66fcf70398ce4c16

SHA1
b2b0cb16fdfce2a8cb324750e4db6a453bcc937a

SHA256
ca353ee13d34dd61d6e15cf88789afab0e879f2c8f93ce58364d4b200c2c958b

SHA512
022ebd6c5951c4f416c1d513bfaa91de9f05ab7574289852b144f2b90fcd54c52eddb44768c9fe4e012899b277d26c680d2356bed466fc2b0f6e0977379cf0ee

Download Submit
memory/2428-287-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download
memory/2428-285-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download
memory/3336-277-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3336-281-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3336-261-0x0000000001660000-0x000000000314C000-memory.dmp

Filesize
26.9MB

Download
memory/3336-286-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3336-263-0x00000000774E8000-0x00000000774E9000-memory.dmp

Filesize
4KB

Download
memory/3336-264-0x0000000077505000-0x0000000077506000-memory.dmp

Filesize
4KB

Download
memory/3336-282-0x0000000077461000-0x0000000077581000-memory.dmp

Filesize
1.1MB

Download
memory/3336-260-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3336-279-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3336-280-0x0000000001660000-0x000000000314C000-memory.dmp

Filesize
26.9MB

Download
memory/3392-288-0x0000000008060000-0x0000000008177000-memory.dmp

Filesize
1.1MB

Download
memory/3952-278-0x0000000004B60000-0x000000000664C000-memory.dmp

Filesize
26.9MB

Download
memory/3952-259-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/3952-258-0x0000000077461000-0x0000000077581000-memory.dmp

Filesize
1.1MB

Download
memory/3952-262-0x0000000004B60000-0x000000000664C000-memory.dmp

Filesize
26.9MB

Download
memory/3952-257-0x0000000004B60000-0x000000000664C000-memory.dmp

Filesize
26.9MB

Download