guloader | 1e278f6354820588f07aa564f5d4b790c54b8c6b859698fbe68faabdac890d0a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe
Size

544KB
MD5

4b9ba132c7cb1877797cb86eec4dc49c
SHA1

cd5854ed6232038efd1c40d04254ee3933a65842
SHA256

1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8
SHA512

15383e4c216ef5a4e49e915da4368ca5e90e2cfeb618e2d8cb0a9a9fdb4f4190a383a90d28bcc2d84cb16414322952bcf5ddda02d2b07f19d555da25e37e9ee5
SSDEEP

12288:aQl/9wJbmh3DVCQM1+1cGyb+IG9cwzkZPHsg1P8Mf+TeKm:aQl/CJbmRY1MRyb+IGHzkFHT1PJfe5m

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe
4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe
4368	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4580 set thread context of 4368	4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4368	4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe	98
PID 4580 wrote to memory of 4368	4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe	98
PID 4580 wrote to memory of 4368	4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe	98
PID 4580 wrote to memory of 4368	4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe	98
PID 4580 wrote to memory of 4368	4580	1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe	98

C:\Users\Admin\AppData\Local\Temp\1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe
"C:\Users\Admin\AppData\Local\Temp\1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe
  "C:\Users\Admin\AppData\Local\Temp\1d10713238e6d48ee5b8e78207c73d9cb1149012d33101f32478793db23862a8.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsbD602.tmp

Filesize
56B

MD5
1b99f3d277ad9c000c6a5e1b8322809b

SHA1
7b5348cd74bc35f65b3714ccbb02b4899a1903f8

SHA256
20e8c5aee3dec0d01d28fa1dbe1a211b6a7fa7bd0c31ec52c4703247faf3e33b

SHA512
c34ae388b23040b1caf88e13071efc0cfe3488d3cdb74436a66379fcc56d3fe367a83f510eba9a098d89f4d5dc0fa2f68ce4baf7c48c1ed80565e637f325111c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD582.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD5D2.tmp

Filesize
39B

MD5
ba318d576ed3ee3a12788fba6f3e7636

SHA1
b27dff6333c5a8bb14bc7d703b1c3bef6a14f219

SHA256
5f3ca1d9267c21b00cb5bfea109f79fac059e160c736f507ecef1808febbc4c2

SHA512
6f2d7a1b0586f2e1772e35dcb4006d1223c1f267d0740281ed53f11228dbb3073cca6a6dc7f1f24cccf01e8e8160f4e55a8a1fcf0a1f144cb0e0fd40edb7adb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD5D2.tmp

Filesize
47B

MD5
5dcf87bcc8f512e85a8f73268bd7867f

SHA1
90dcd52c89226ee387f21f552015606baff72fd5

SHA256
b24d59ea009db3f2d73b00530d8b87025d3846ed1a8023c2c4f35dacf6e6198e

SHA512
975dc282c3a2ac2784ac69b2fa0dbefc3a818a95f2f95c64db5cbcb427e859e54c47ad1ec36c9617166e059ab357ca205e42747eae9ef99ab607abd31b833341

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD5D2.tmp

Filesize
60B

MD5
af09d90f83b187eb31a70c98be11d954

SHA1
afea4ee350c6d139d1dafb80457f8d70491de9b1

SHA256
b5dd5475f818794f1312fb6e50f10f837d67c60f8890d56a8bd224d0d8845c46

SHA512
cb2bea82e29c8c04d7ec18fff0e2f809ec878cb613d84345f72a89b2a3015fad680e0ef2a937a8547a3ea4ff916d7cbcf0b6a3b20d1d69f58b0ea01075aa81c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD642.tmp

Filesize
20B

MD5
3bb6070b3e4cbc844c6cee699666f746

SHA1
eaeb87f3175746d3c8a0896e35f5f2d3ad4f2d7b

SHA256
8678054a5a992d44bb69e4ab770e4d17cd1530511f044754ba3a15e59121cba4

SHA512
cf53f306a00ef5ed498c1dcaa426b013a64520938f492d77cd0f1cc15dffe37d465f30b9e15d451e1f85ed8e67f2ebed0930302ddb94b2f7172dd9e4fd6c52f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmD642.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD543.tmp

Filesize
60B

MD5
15b80dc3d729ab1abd2b7dd56f15dfbb

SHA1
38f2c2a96b7a3b7a2092956ba1cd28d93f7f44f4

SHA256
a8131e5fa3f1e8a7e35a248fb3da529eb2885731ca6687bac3278f53a698850c

SHA512
43cc514b05da8854292008e536e5860902847998f9d2cfce883aae0d3d5bedbe74db9a55ae1c33933af4f9cef40a103cac49a306f88550109397e96c7dc969fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD543.tmp

Filesize
14B

MD5
2f18f8f3b6d27674881e055d03e7e356

SHA1
7f6bb8aa1fa32dfb63b1da03d45c9aad694eeaf2

SHA256
7a9d5de32c67cb645d31b7d278cee322b643f98342a2d3b350bef4477a806d1a

SHA512
8d9ee0a92f9a0b15213eab47d1cab60258bf34b82664b4744e130d23a7a28d895c687322ae670d04168e3897f31da50999ea12a2c7f730d22be1fc363ef13631

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD543.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD543.tmp

Filesize
21B

MD5
8971b7a691c3fa70cb038019ee564845

SHA1
bdffd99c78750e7832d7d1e0cdee6c08c089ecb5

SHA256
612365d1000c11e69ee5ecd1faa7dc59078993959c48b7916a580b7bd3cbf587

SHA512
ee51ddd485220a130dbd4ae28f47f7bb990ca989deaabd5467b2f446cba05b2e600e1c04414e844c94bdc0b68bdfc2618e8aa410401cbb640c59831b8f9647d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD543.tmp

Filesize
35B

MD5
6308721206dbe8d1a8268f3c1b0aea1c

SHA1
8e2d87577161a86714c59df837fc0d5aac0bab5a

SHA256
65dd548600ae0d7d0fd7e126181efd7667b5d02c1ece19742c66ab4f31155c91

SHA512
51d2736cfc59466feb145ade821da741f9d10617c1a358465f49f06f9f1c1246a23cef4f63b6a423f380453d02cbb01d50d75dc5c0f6b11d4f85bf94cdba303d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD543.tmp

Filesize
46B

MD5
46bc3b3f30f2703822d77228cf71c47f

SHA1
880c185810ea2b075648c9d0aac41487c8383059

SHA256
8bf4c616c9a55aafdc1a48ebdb11f8fbea6fb2465aa2f216e4efad6d540a1d99

SHA512
b8dd0e24989ee9acf9eb6b86dfb7f87d1d11f96458981170b7557aa1e26bb995a9ff785c8a98a54327ab12a7868d9c404b221e5f09e401d431dbb0120042946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD593.tmp

Filesize
3B

MD5
4e27f2226785e9abbe046fc592668860

SHA1
28b18a7f383131df509f7191f946a32c5a2e410c

SHA256
01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

SHA512
2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswD593.tmp

Filesize
31B

MD5
bebdffa37358b59c6d03d4e3947c6f6c

SHA1
bb3d6a0095f4d6d2dac15bb64ffd4775952bf547

SHA256
3e3573216f1f8de74e0c00566b297b31f2c5b0e1015114d370fb84cfcdbe97d3

SHA512
651f98e9cf38c74647806c574f807c6a84d3b60c25aa701c00ad0cac409ff99fa490169ee033ba4ab1aa97dd8010c887d21d1dd1219bbfe5ae81ab39991efdbd

Download Submit
memory/4368-568-0x00000000016E0000-0x0000000003759000-memory.dmp

Filesize
32.5MB

Download
memory/4368-572-0x00000000016E0000-0x0000000003759000-memory.dmp

Filesize
32.5MB

Download
memory/4368-570-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4580-566-0x0000000077E51000-0x0000000077F71000-memory.dmp

Filesize
1.1MB

Download
memory/4580-569-0x00000000055E0000-0x0000000007659000-memory.dmp

Filesize
32.5MB

Download
memory/4580-567-0x0000000074CB5000-0x0000000074CB6000-memory.dmp

Filesize
4KB

Download
memory/4580-565-0x00000000055E0000-0x0000000007659000-memory.dmp

Filesize
32.5MB

Download
memory/4580-577-0x00000000055E0000-0x0000000007659000-memory.dmp

Filesize
32.5MB

Download