guloader | 2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905

General

Target

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
Size

262KB
MD5

76923fcaa0a505edf3ad0258599c4ac4
SHA1

c12da3f5b65037e1d8e9c448896476284ad152ee
SHA256

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905
SHA512

b7e63acbc58fc774ab1b344f8e0c49dfa77287ae355651d6710e9ef47aae3938abe5ce752f39b405e8ae07c9874cb423f88ceca8a9a1c36a11a66e0596dcf4b3
SSDEEP

6144:C+K0JKwduysEcdn0AwZkMJrZJKBRiJ5KGzR9gMYazuS0:LJZ0EcdnTdM5ZJCEv7VCMYaav

Score

10^/10

guloader downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Loads dropped DLL 1 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

pid process

2556 2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Omnisufficient5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nonconducive\\Foretraekke.exe"	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

Drops file in System32 directory 1 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\frinumres\Bremsevskers.ini	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

pid	process
2744	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
2744	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

pid	process
2556	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
2744	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

description	pid	process	target process
PID 2556 set thread context of 2744	2556	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

Drops file in Program Files directory 1 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\indebt\weinmannia.nas	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

Drops file in Windows directory 1 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

description ioc process

File opened for modification C:\Windows\bratschists.lig 2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

pid process

2556 2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

pid process

2744 2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

description	ioc	process
File opened for modification	C:\Windows\bratschists.lig	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

description	pid	process	target process
PID 2556 wrote to memory of 2744	2556	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
PID 2556 wrote to memory of 2744	2556	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
PID 2556 wrote to memory of 2744	2556	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
PID 2556 wrote to memory of 2744	2556	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
PID 2556 wrote to memory of 2744	2556	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
PID 2556 wrote to memory of 2744	2556	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe	2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe

C:\Users\Admin\AppData\Local\Temp\2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
"C:\Users\Admin\AppData\Local\Temp\2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe
  "C:\Users\Admin\AppData\Local\Temp\2f61e87b9efc40e20b2ea6dbd7f304a0cdaacea53c7407bb6da45d2e6302a905.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi2AB9.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
memory/2556-23-0x00000000774F1000-0x00000000775F2000-memory.dmp

Filesize
1.0MB

Download
memory/2556-24-0x00000000774F0000-0x0000000077699000-memory.dmp

Filesize
1.7MB

Download
memory/2744-25-0x00000000774F0000-0x0000000077699000-memory.dmp

Filesize
1.7MB

Download
memory/2744-27-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/2744-28-0x00000000014B0000-0x00000000059D7000-memory.dmp

Filesize
69.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads