guloader | 0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe
Size

534KB
MD5

6c017aa6f64a029fd33fe39c3721dd70
SHA1

85e289141f005e4400a9080caa92977c5bf92a3a
SHA256

0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6
SHA512

655be368576a5b7f270b06cd3c909af51f1809560af0860edc52ece584a6cc0d797c248342abdfc5ebc4877c961c52e1e17b8360bd65b14f1e7355d27bc900c2
SSDEEP

12288:karCpCzpXdVLmVKQtJ8PECXxcIvzWrhygoRu6Xy:1roKpXNQwE+xcCiySGy

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
1380	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1380	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe
4664	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 4664	1380	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1380	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 4664	1380	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe	94
PID 1380 wrote to memory of 4664	1380	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe	94
PID 1380 wrote to memory of 4664	1380	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe	94
PID 1380 wrote to memory of 4664	1380	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe	94
PID 1380 wrote to memory of 4664	1380	0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe	94

C:\Users\Admin\AppData\Local\Temp\0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe
"C:\Users\Admin\AppData\Local\Temp\0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe
  "C:\Users\Admin\AppData\Local\Temp\0cac92631c201434bd9ca13c18d84301ec7c1ecc4111470c32df57e960fcbee6.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\rasterside.ini

Filesize
39B

MD5
dc764daea004e907e2a4076dc2e81dce

SHA1
64cc2f14c8426031e8fe9995da24887ff5beec97

SHA256
8a3dd54acac47298afa45e7048a9297f897e35cb351e511fbe5a421b1ed6523d

SHA512
f03e8c65e1974e8bc1608e292a9898054c791b5e8505b8bbd5f9eb832cd414c3fb19f7e328286984cc73a07937d60731dd00f20c3e31db77245a2f178e5bf257

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk6D51.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
memory/1380-40-0x00000000040C0000-0x000000000616D000-memory.dmp

Filesize
32.7MB

Download
memory/1380-41-0x0000000077721000-0x0000000077841000-memory.dmp

Filesize
1.1MB

Download
memory/1380-42-0x0000000074584000-0x0000000074585000-memory.dmp

Filesize
4KB

Download
memory/1380-45-0x00000000040C0000-0x000000000616D000-memory.dmp

Filesize
32.7MB

Download
memory/1380-52-0x00000000040C0000-0x000000000616D000-memory.dmp

Filesize
32.7MB

Download
memory/4664-43-0x00000000016D0000-0x000000000377D000-memory.dmp

Filesize
32.7MB

Download
memory/4664-44-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/4664-47-0x00000000016D0000-0x000000000377D000-memory.dmp

Filesize
32.7MB

Download