guloader | 1f7f8fa2a0d1850a1753edd61fc2ddfd67031a15b65929469c044dc8c751de03

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cumacean.exe
Size

234KB
MD5

d9ad627096015371e1d4db92375bc6ff
SHA1

c625bbef9ca680e05e6d426ef1417086d059cd94
SHA256

1f7f8fa2a0d1850a1753edd61fc2ddfd67031a15b65929469c044dc8c751de03
SHA512

9573885810921efacaa924e48069cd04adbc0f1003a94318734233a570c495d91f6e1dc6ab02e078ebd17cdceb1a616636f6799dc737aae281e9cd4681df6aa3
SSDEEP

6144:Ek62PBHbekcwi+GGKPNYLsJbRGryWCP3fI/C:BpaGgvfRRGrK4a

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
1640	Cumacean.exe
1640	Cumacean.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\introvision\Produktionsstyringsdatabaserne.Cel	Cumacean.exe
File opened for modification	C:\Windows\SysWOW64\kret\Kattekillings.ini	Cumacean.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1640	Cumacean.exe
2700	msbuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 2700	1640	Cumacean.exe	28

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\evocativeness\unprefigured\fodens\Protopteridophyte15\Afterharm.ini	Cumacean.exe
File opened for modification	C:\Program Files (x86)\Common Files\desorienteres\managementet\lither\Buris\gammastraalingen\preadministrator\roustabout.tal	Cumacean.exe
File opened for modification	C:\Program Files (x86)\bordered\filemaking\samle.ind	Cumacean.exe
File opened for modification	C:\Program Files (x86)\logometrically\pinningly\tissemnds.goa	Cumacean.exe
File opened for modification	C:\Program Files (x86)\Common Files\narkocentres\Centimes\Lupuline\proconfederationist\kvartlzr.Tri239	Cumacean.exe
File opened for modification	C:\Program Files (x86)\recalculated\Indhentende150\overensstemmelsernes\Naphthalol\ripsaws.amb	Cumacean.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\Udsagnsleddene\Brugerkurser6\antiheroism.ang	Cumacean.exe
File opened for modification	C:\Windows\resources\0409\opg.ini	Cumacean.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1640	Cumacean.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2700	1640	Cumacean.exe	28
PID 1640 wrote to memory of 2700	1640	Cumacean.exe	28
PID 1640 wrote to memory of 2700	1640	Cumacean.exe	28
PID 1640 wrote to memory of 2700	1640	Cumacean.exe	28
PID 1640 wrote to memory of 2700	1640	Cumacean.exe	28
PID 1640 wrote to memory of 2700	1640	Cumacean.exe	28

C:\Users\Admin\AppData\Local\Temp\Cumacean.exe
"C:\Users\Admin\AppData\Local\Temp\Cumacean.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Users\Admin\AppData\Local\Temp\Cumacean.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso1CD5.tmp\System.dll

Filesize
11KB

MD5
55f18cafe28167995629fdeae4f07bdf

SHA1
a6bd9310f4408c86149993d1e8833d35dd16bb23

SHA256
e32b35cde7c6e2c967445de92884684db7fda506ea52b9aaa74c1a33dd2fdfe6

SHA512
113e7a9e1958bea6a045a7120adf6c667880b9b1d90ff7790e2004f3954f9358a5e44ceb6be0c3b32ff8e6a06878a0f22be7206d0b5a6c5392ca30b8c3bff8ce

Download Submit
\Users\Admin\AppData\Local\Temp\nso1CD5.tmp\nsDialogs.dll

Filesize
9KB

MD5
f294cfefcf2f306696944427ef551de5

SHA1
6ae91bc7706e0dc0e882f2648277ffc9437a5f8b

SHA256
b170d492cedc29719d27092c29ae1c71bc0b4d9c7df5707b44ac748bc394967f

SHA512
da8b57a3b9256aa6f5e8a33399eea9fb154f9463dfcb297b67419f540049cca9450ce81fe5d3dffad3d8708f300c9453d64add8e81e8dd48b6bae0f1053f116e

Download Submit
memory/1640-20-0x0000000004C30000-0x0000000006C3C000-memory.dmp

Filesize
32.0MB

Download
memory/1640-21-0x0000000077711000-0x0000000077812000-memory.dmp

Filesize
1.0MB

Download
memory/1640-22-0x0000000077710000-0x00000000778B9000-memory.dmp

Filesize
1.7MB

Download
memory/1640-24-0x0000000004C30000-0x0000000006C3C000-memory.dmp

Filesize
32.0MB

Download
memory/1640-32-0x0000000004C30000-0x0000000006C3C000-memory.dmp

Filesize
32.0MB

Download
memory/2700-23-0x0000000077710000-0x00000000778B9000-memory.dmp

Filesize
1.7MB

Download
memory/2700-25-0x0000000072C90000-0x0000000073CF2000-memory.dmp

Filesize
16.4MB

Download
memory/2700-27-0x0000000077710000-0x00000000778B9000-memory.dmp

Filesize
1.7MB

Download