guloader | 7f83f1ace73c0eb3543fd3e15924ecfc69d174e0ad30298b917b74e65a605eb2

General

Target

Kompagnonernes.exe
Size

542KB
MD5

6b70b3711d067ff306ef0b6880aa9b75
SHA1

3e6adcc2187d08da0e22cb8442bf432d4543dbcb
SHA256

7f83f1ace73c0eb3543fd3e15924ecfc69d174e0ad30298b917b74e65a605eb2
SHA512

91d01e9792613c96037df699f65f508478c151cf47b71461f71d22fcb9df294b49c28085a5479270b0a592747a9af335e132615fbf997ae61e245e2ec381bc04
SSDEEP

12288:AKdIoOp22GL4aC98Xxt9zdzJJmnIprf+r:AKdIlpspWoT3zmI7K

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
512	Kompagnonernes.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	drive.google.com
32	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4304	Kompagnonernes.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
512	Kompagnonernes.exe
4304	Kompagnonernes.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 512 set thread context of 4304	512	Kompagnonernes.exe	89
PID 4304 set thread context of 3492	4304	Kompagnonernes.exe	56
PID 4304 set thread context of 4296	4304	Kompagnonernes.exe	90
PID 4296 set thread context of 3492	4296	fontview.exe	56
PID 4296 set thread context of 5060	4296	fontview.exe	91

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Telepatisk.ini	Kompagnonernes.exe
File opened for modification	C:\Program Files (x86)\Fertiliseringerne\imperceptibly.ini	Kompagnonernes.exe
File opened for modification	C:\Program Files (x86)\reliable\aldersbestemmelse.ini	Kompagnonernes.exe
File opened for modification	C:\Program Files (x86)\Common Files\besvimelses.str	Kompagnonernes.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ingvardts.Sin	Kompagnonernes.exe
File opened for modification	C:\Windows\tasselling\sporvognsskinne.Rev	Kompagnonernes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	fontview.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
512	Kompagnonernes.exe
4304	Kompagnonernes.exe
4304	Kompagnonernes.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe
4296	fontview.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 4304	512	Kompagnonernes.exe	89
PID 512 wrote to memory of 4304	512	Kompagnonernes.exe	89
PID 512 wrote to memory of 4304	512	Kompagnonernes.exe	89
PID 512 wrote to memory of 4304	512	Kompagnonernes.exe	89
PID 512 wrote to memory of 4304	512	Kompagnonernes.exe	89
PID 4304 wrote to memory of 4296	4304	Kompagnonernes.exe	90
PID 4304 wrote to memory of 4296	4304	Kompagnonernes.exe	90
PID 4304 wrote to memory of 4296	4304	Kompagnonernes.exe	90
PID 4296 wrote to memory of 5060	4296	fontview.exe	91
PID 4296 wrote to memory of 5060	4296	fontview.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\Kompagnonernes.exe
  "C:\Users\Admin\AppData\Local\Temp\Kompagnonernes.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Users\Admin\AppData\Local\Temp\Kompagnonernes.exe
    "C:\Users\Admin\AppData\Local\Temp\Kompagnonernes.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\fontview.exe
      "C:\Windows\SysWOW64\fontview.exe"
      4⤵
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg62A4.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit
memory/512-32-0x0000000004E30000-0x0000000007A27000-memory.dmp

Filesize
44.0MB

Download
memory/512-12-0x0000000004E30000-0x0000000007A27000-memory.dmp

Filesize
44.0MB

Download
memory/512-13-0x0000000077191000-0x00000000772B1000-memory.dmp

Filesize
1.1MB

Download
memory/512-14-0x0000000073DE5000-0x0000000073DE6000-memory.dmp

Filesize
4KB

Download
memory/512-17-0x0000000004E30000-0x0000000007A27000-memory.dmp

Filesize
44.0MB

Download
memory/3492-41-0x0000000002930000-0x00000000029F9000-memory.dmp

Filesize
804KB

Download
memory/4296-40-0x00000000007B0000-0x00000000007EF000-memory.dmp

Filesize
252KB

Download
memory/4296-38-0x00000000007B0000-0x00000000007EF000-memory.dmp

Filesize
252KB

Download
memory/4304-30-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4304-33-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4304-34-0x0000000001660000-0x0000000004257000-memory.dmp

Filesize
44.0MB

Download
memory/4304-37-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4304-31-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4304-39-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4304-16-0x0000000001660000-0x0000000004257000-memory.dmp

Filesize
44.0MB

Download
memory/4304-15-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/5060-48-0x000001A9204B0000-0x000001A92058A000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing