guloader | 7f83f1ace73c0eb3543fd3e15924ecfc69d174e0ad30298b917b74e65a605eb2

General

Target

Kompagnonernes.exe
Size

542KB
MD5

6b70b3711d067ff306ef0b6880aa9b75
SHA1

3e6adcc2187d08da0e22cb8442bf432d4543dbcb
SHA256

7f83f1ace73c0eb3543fd3e15924ecfc69d174e0ad30298b917b74e65a605eb2
SHA512

91d01e9792613c96037df699f65f508478c151cf47b71461f71d22fcb9df294b49c28085a5479270b0a592747a9af335e132615fbf997ae61e245e2ec381bc04
SSDEEP

12288:AKdIoOp22GL4aC98Xxt9zdzJJmnIprf+r:AKdIlpspWoT3zmI7K

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
1008	Kompagnonernes.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2620	Kompagnonernes.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1008	Kompagnonernes.exe
2620	Kompagnonernes.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1008 set thread context of 2620	1008	Kompagnonernes.exe	28
PID 2620 set thread context of 1116	2620	Kompagnonernes.exe	20
PID 2620 set thread context of 2152	2620	Kompagnonernes.exe	33
PID 2152 set thread context of 1116	2152	fontview.exe	20

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\reliable\aldersbestemmelse.ini	Kompagnonernes.exe
File opened for modification	C:\Program Files (x86)\Common Files\besvimelses.str	Kompagnonernes.exe
File opened for modification	C:\Program Files (x86)\Telepatisk.ini	Kompagnonernes.exe
File opened for modification	C:\Program Files (x86)\Fertiliseringerne\imperceptibly.ini	Kompagnonernes.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ingvardts.Sin	Kompagnonernes.exe
File opened for modification	C:\Windows\tasselling\sporvognsskinne.Rev	Kompagnonernes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2620	Kompagnonernes.exe
2620	Kompagnonernes.exe
2620	Kompagnonernes.exe
2620	Kompagnonernes.exe
2620	Kompagnonernes.exe
2620	Kompagnonernes.exe
2620	Kompagnonernes.exe
2620	Kompagnonernes.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe
2152	fontview.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1008	Kompagnonernes.exe
2620	Kompagnonernes.exe
2620	Kompagnonernes.exe
2152	fontview.exe
2152	fontview.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2620	1008	Kompagnonernes.exe	28
PID 1008 wrote to memory of 2620	1008	Kompagnonernes.exe	28
PID 1008 wrote to memory of 2620	1008	Kompagnonernes.exe	28
PID 1008 wrote to memory of 2620	1008	Kompagnonernes.exe	28
PID 1008 wrote to memory of 2620	1008	Kompagnonernes.exe	28
PID 1008 wrote to memory of 2620	1008	Kompagnonernes.exe	28
PID 2620 wrote to memory of 2152	2620	Kompagnonernes.exe	33
PID 2620 wrote to memory of 2152	2620	Kompagnonernes.exe	33
PID 2620 wrote to memory of 2152	2620	Kompagnonernes.exe	33
PID 2620 wrote to memory of 2152	2620	Kompagnonernes.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1116
- C:\Users\Admin\AppData\Local\Temp\Kompagnonernes.exe
  "C:\Users\Admin\AppData\Local\Temp\Kompagnonernes.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\Kompagnonernes.exe
    "C:\Users\Admin\AppData\Local\Temp\Kompagnonernes.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\fontview.exe
      "C:\Windows\SysWOW64\fontview.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi7B0.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit
memory/1008-18-0x0000000004200000-0x0000000006DF7000-memory.dmp

Filesize
44.0MB

Download
memory/1008-14-0x0000000076F41000-0x0000000077042000-memory.dmp

Filesize
1.0MB

Download
memory/1008-15-0x0000000076F40000-0x00000000770E9000-memory.dmp

Filesize
1.7MB

Download
memory/1008-13-0x0000000004200000-0x0000000006DF7000-memory.dmp

Filesize
44.0MB

Download
memory/1008-43-0x0000000004200000-0x0000000006DF7000-memory.dmp

Filesize
44.0MB

Download
memory/2152-55-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2152-52-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2620-42-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2620-19-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2620-44-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2620-50-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2620-17-0x0000000076F40000-0x00000000770E9000-memory.dmp

Filesize
1.7MB

Download
memory/2620-54-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2620-16-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing