guloader | 960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917

General

Target

960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe
Size

658KB
MD5

60a7e716d4096c5b2d261711efa88189
SHA1

a026c01473285adf6115954308679e626a7db7e9
SHA256

960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917
SHA512

15a2c1a0651aeb37063ba307d76c45404451c709220d67af6f9f996634aca8def08dc62fa081e4b01fa316543116612b96743a5b34ac5338cc14f8ae0485b799
SSDEEP

12288:f0VN1HuZE08wTl3yItrn5F9Foy6TZK/iVHCzwHBW:MHl08wT1yIV5F9qRTZK/WC/

Score

10^/10

guloader downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe
4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4796	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe
4796	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 4796	4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe	90

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\typeable\bialys.ini	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\morphologists\Declaratively2.apo	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3936	4796	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4796	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe
4796	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4796	4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe	90
PID 4752 wrote to memory of 4796	4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe	90
PID 4752 wrote to memory of 4796	4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe	90
PID 4752 wrote to memory of 4796	4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe	90
PID 4752 wrote to memory of 4796	4752	960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe	90

C:\Users\Admin\AppData\Local\Temp\960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe
"C:\Users\Admin\AppData\Local\Temp\960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Local\Temp\960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe
  "C:\Users\Admin\AppData\Local\Temp\960a287cacdeeb38a29b06b0a73f6f150be8064fd414b9e050eed13c03cbe917.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1480
    3⤵
    - Program crash
    PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4796 -ip 4796
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl3B74.tmp\System.dll

Filesize
11KB

MD5
10e8921a6e7f6a74671b07dc3bde626f

SHA1
b7961066600ef193c5319dbeed3673dc60110a50

SHA256
c85142f86e1ec02f7ef8d5ba31b22031de3de9a16bce519d5482b824afb277eb

SHA512
4c19a7e3117baeec3f6a7f9a33cfab392255741137406db87fe5ac24def7f9a28b2ed0fc26f0f46c5d43ba1bb6675dea74410a797bfd265e38812b042460aa00

Download Submit
memory/4752-32-0x00000000041A0000-0x0000000004E7A000-memory.dmp

Filesize
12.9MB

Download
memory/4752-25-0x00000000041A0000-0x0000000004E7A000-memory.dmp

Filesize
12.9MB

Download
memory/4752-26-0x0000000077341000-0x0000000077461000-memory.dmp

Filesize
1.1MB

Download
memory/4752-27-0x0000000074025000-0x0000000074026000-memory.dmp

Filesize
4KB

Download
memory/4752-45-0x00000000041A0000-0x0000000004E7A000-memory.dmp

Filesize
12.9MB

Download
memory/4796-34-0x0000000001660000-0x000000000233A000-memory.dmp

Filesize
12.9MB

Download
memory/4796-47-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/4796-30-0x00000000773C8000-0x00000000773C9000-memory.dmp

Filesize
4KB

Download
memory/4796-33-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-29-0x0000000001660000-0x000000000233A000-memory.dmp

Filesize
12.9MB

Download
memory/4796-44-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-28-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-31-0x00000000773E5000-0x00000000773E6000-memory.dmp

Filesize
4KB

Download
memory/4796-46-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-48-0x0000000077341000-0x0000000077461000-memory.dmp

Filesize
1.1MB

Download
memory/4796-49-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-50-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-52-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/4796-51-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4796-53-0x0000000001660000-0x000000000233A000-memory.dmp

Filesize
12.9MB

Download

Analysis

Sharing