guloader | 345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793

General

Target

345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe
Size

461KB
MD5

789ee5c5300dc862faaf96475720f9bc
SHA1

0ef8137d58a07747fc9d4e5708241ff298734646
SHA256

345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793
SHA512

1f9ccdffa0ef09d89d0f024a5c698c0a4c6e3666353db38f5d3b48f49ca00544b038ca6db6069e3eee93f1c66d11467bde3ecf53148f2add1c7206e701ba2b23
SSDEEP

12288:vgEdJmlO0y9cb0crEM9wH056oDWLJuNdRey:bdJmlO995cAKwA6bLJuNKy

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
3984	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
9	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\astrofysikkernes.Prv	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1164	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3984	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe
1164	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3984 set thread context of 1164	3984	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe	92

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tronsalens\overreact.kog	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4384	1164	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1164	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe
1164	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3984	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1164	3984	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe	92
PID 3984 wrote to memory of 1164	3984	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe	92
PID 3984 wrote to memory of 1164	3984	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe	92
PID 3984 wrote to memory of 1164	3984	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe	92
PID 3984 wrote to memory of 1164	3984	345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe	92

C:\Users\Admin\AppData\Local\Temp\345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe
"C:\Users\Admin\AppData\Local\Temp\345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe
  "C:\Users\Admin\AppData\Local\Temp\345ed67cf43e000ffa57dfc07fc6606f757cf88a6d3b9d8778444d7eef1dd793.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1068
    3⤵
    - Program crash
    PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4428,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=3788 /prefetch:8
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1164 -ip 1164
1⤵
PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseF669.tmp\System.dll

Filesize
11KB

MD5
fc3772787eb239ef4d0399680dcc4343

SHA1
db2fa99ec967178cd8057a14a428a8439a961a73

SHA256
9b93c61c9d63ef8ec80892cc0e4a0877966dca9b0c3eb85555cebd2ddf4d6eed

SHA512
79e491ca4591a5da70116114b7fbb66ee15a0532386035e980c9dfe7afb59b1f9d9c758891e25bfb45c36b07afd3e171bac37a86c887387ef0e80b1eaf296c89

Download Submit
C:\Users\Admin\Forbydende173.ini

Filesize
44B

MD5
91c4f98316bddadc66fcf70398ce4c16

SHA1
b2b0cb16fdfce2a8cb324750e4db6a453bcc937a

SHA256
ca353ee13d34dd61d6e15cf88789afab0e879f2c8f93ce58364d4b200c2c958b

SHA512
022ebd6c5951c4f416c1d513bfaa91de9f05ab7574289852b144f2b90fcd54c52eddb44768c9fe4e012899b277d26c680d2356bed466fc2b0f6e0977379cf0ee

Download Submit
memory/1164-279-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1164-281-0x0000000001660000-0x000000000314C000-memory.dmp

Filesize
26.9MB

Download
memory/1164-282-0x00000000777C1000-0x00000000778E1000-memory.dmp

Filesize
1.1MB

Download
memory/1164-260-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1164-261-0x0000000001660000-0x000000000314C000-memory.dmp

Filesize
26.9MB

Download
memory/1164-262-0x0000000077848000-0x0000000077849000-memory.dmp

Filesize
4KB

Download
memory/1164-280-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1164-264-0x0000000077865000-0x0000000077866000-memory.dmp

Filesize
4KB

Download
memory/1164-277-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3984-259-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/3984-278-0x0000000004B50000-0x000000000663C000-memory.dmp

Filesize
26.9MB

Download
memory/3984-263-0x0000000004B50000-0x000000000663C000-memory.dmp

Filesize
26.9MB

Download
memory/3984-258-0x00000000777C1000-0x00000000778E1000-memory.dmp

Filesize
1.1MB

Download
memory/3984-257-0x0000000004B50000-0x000000000663C000-memory.dmp

Filesize
26.9MB

Download

Analysis

Sharing