guloader | 794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326

General

Target

794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326.exe
Size

912KB
MD5

d31458f5305e5071039b1d90013d0f20
SHA1

48ed3751fa79b2a8e0736cf07713615555f4392c
SHA256

794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326
SHA512

b09897570735c1e946d53c7658dfb05daadb0a4ab7a14d2ebb183b15a48bbdcdcfee3ec7a6d6edcfe3c3f1917db19e0eefaf76060d69650789f9fe54763f67e0
SSDEEP

24576:GOreqsBKu6bUClPqyEYuH3ESEO0fG5vq7HK:GOCTKu6AwyyE/yfyq7q

Score

10^/10

guloader discovery downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2112	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	powershell.exe
688	halshuggende.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Noninherence = "%Frabedendes% -windowstyle minimized $Inquietudes=(Get-ItemProperty -Path 'HKCU:\\Specialforretning\\').Megacerotine;%Frabedendes% ($Inquietudes)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
688	halshuggende.exe
688	halshuggende.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2112	powershell.exe
688	halshuggende.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 688	2112	powershell.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	halshuggende.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2228	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2112	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2112	2680	794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326.exe	30
PID 2680 wrote to memory of 2112	2680	794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326.exe	30
PID 2680 wrote to memory of 2112	2680	794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326.exe	30
PID 2680 wrote to memory of 2112	2680	794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326.exe	30
PID 2112 wrote to memory of 688	2112	powershell.exe	33
PID 2112 wrote to memory of 688	2112	powershell.exe	33
PID 2112 wrote to memory of 688	2112	powershell.exe	33
PID 2112 wrote to memory of 688	2112	powershell.exe	33
PID 2112 wrote to memory of 688	2112	powershell.exe	33
PID 2112 wrote to memory of 688	2112	powershell.exe	33
PID 688 wrote to memory of 2152	688	halshuggende.exe	34
PID 688 wrote to memory of 2152	688	halshuggende.exe	34
PID 688 wrote to memory of 2152	688	halshuggende.exe	34
PID 688 wrote to memory of 2152	688	halshuggende.exe	34
PID 2152 wrote to memory of 2228	2152	cmd.exe	36
PID 2152 wrote to memory of 2228	2152	cmd.exe	36
PID 2152 wrote to memory of 2228	2152	cmd.exe	36
PID 2152 wrote to memory of 2228	2152	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326.exe
"C:\Users\Admin\AppData\Local\Temp\794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Redubber=Get-Content 'C:\Users\Admin\AppData\Local\twinsomeness\Non\taaren.Min';$Fleurs=$Redubber.SubString(10682,3);.$Fleurs($Redubber)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\halshuggende.exe
    "C:\Users\Admin\AppData\Local\Temp\halshuggende.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Noninherence" /t REG_EXPAND_SZ /d "%Frabedendes% -windowstyle minimized $Inquietudes=(Get-ItemProperty -Path 'HKCU:\Specialforretning\').Megacerotine;%Frabedendes% ($Inquietudes)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Noninherence" /t REG_EXPAND_SZ /d "%Frabedendes% -windowstyle minimized $Inquietudes=(Get-ItemProperty -Path 'HKCU:\Specialforretning\').Megacerotine;%Frabedendes% ($Inquietudes)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\twinsomeness\Non\taaren.Min

Filesize
73KB

MD5
366c057966395cc642e71a51bad73bb2

SHA1
d509d341830ab04fb316f1ff5d8d1c493cf300ba

SHA256
75488edaa2e04f1a21dfb11577b9f8c66f2a0df06cee871a090c6d1b659f3299

SHA512
a4816109dc2ae97e2f5f107df12c61718f1b7298ac853985f4c377ddb5bfa869b8ce4bea01fc75e00d9e4c95219c447bb47ffea11e7e03cf1a4f149dd0acaeda

Download Submit
C:\Users\Admin\AppData\Local\twinsomeness\Palaeoniscidae.Bef

Filesize
342KB

MD5
133aaf772edfaa6a285b97c1ce72be71

SHA1
1a93606aac9005af7530a9279ec9d4681161bd80

SHA256
eaddb5038eb1bf4ad1c746f446fb7f7e322f2399b36cefefd677a86be48c99d4

SHA512
7a41016255b38930116b515c71c0056405c4be6ec71d3e01ab68d2cb02cf5612c52c594fd8b775e33b305cc5d27a98dbb428447faede7ec090b860caf480fba6

Download Submit
\Users\Admin\AppData\Local\Temp\halshuggende.exe

Filesize
912KB

MD5
d31458f5305e5071039b1d90013d0f20

SHA1
48ed3751fa79b2a8e0736cf07713615555f4392c

SHA256
794d69096feb810330dfde5b14715d05da279f506c795e158cc431387b8de326

SHA512
b09897570735c1e946d53c7658dfb05daadb0a4ab7a14d2ebb183b15a48bbdcdcfee3ec7a6d6edcfe3c3f1917db19e0eefaf76060d69650789f9fe54763f67e0

Download Submit
memory/688-49-0x00000000018B0000-0x000000000280F000-memory.dmp

Filesize
15.4MB

Download
memory/2112-18-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2112-15-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2112-11-0x0000000073CA1000-0x0000000073CA2000-memory.dmp

Filesize
4KB

Download
memory/2112-14-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2112-20-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2112-21-0x00000000065E0000-0x000000000753F000-memory.dmp

Filesize
15.4MB

Download
memory/2112-22-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2112-13-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/2112-12-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads