guloader | 72e6d0a6c546804ffdd79fcf20e97d13fd6ef53815a38aee737b6ef9a0a0b8f3

General

Target

f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe
Size

915KB
MD5

68201a6f398b098b4994a9e5f2d4405c
SHA1

5a39054a39b347e9d294bc42927861692bc03b6b
SHA256

f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7
SHA512

5fc21c049f18297d1d27857dd433a5df77d1bcbc8ecf7ab796ad91443f406355e70159759e519fee313b136ca63179fe2b81fd2f7cdb47868ce5ef9743db6da8
SSDEEP

12288:DBfOreqgPSOONGdVAhCssylYH+ZQnBPmQ8HjWsgrqpqfyl0fGXJ9BqNJowksV3:hOreq0OMAxsyuHdUHjvEO0fG5vq7Hx

Score

10^/10

guloader discovery downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	powershell.exe
2196	Raadnetanken.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kingrow = "%Dfa% -windowstyle minimized $Celebrer=(Get-ItemProperty -Path 'HKCU:\\Overvre\\').Fljtets;%Dfa% ($Celebrer)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2196	Raadnetanken.exe
2196	Raadnetanken.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2868	powershell.exe
2196	Raadnetanken.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 2196	2868	powershell.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Raadnetanken.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2360	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2868	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2868	2640	f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe	30
PID 2640 wrote to memory of 2868	2640	f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe	30
PID 2640 wrote to memory of 2868	2640	f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe	30
PID 2640 wrote to memory of 2868	2640	f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe	30
PID 2868 wrote to memory of 2196	2868	powershell.exe	33
PID 2868 wrote to memory of 2196	2868	powershell.exe	33
PID 2868 wrote to memory of 2196	2868	powershell.exe	33
PID 2868 wrote to memory of 2196	2868	powershell.exe	33
PID 2868 wrote to memory of 2196	2868	powershell.exe	33
PID 2868 wrote to memory of 2196	2868	powershell.exe	33
PID 2196 wrote to memory of 2976	2196	Raadnetanken.exe	34
PID 2196 wrote to memory of 2976	2196	Raadnetanken.exe	34
PID 2196 wrote to memory of 2976	2196	Raadnetanken.exe	34
PID 2196 wrote to memory of 2976	2196	Raadnetanken.exe	34
PID 2976 wrote to memory of 2360	2976	cmd.exe	36
PID 2976 wrote to memory of 2360	2976	cmd.exe	36
PID 2976 wrote to memory of 2360	2976	cmd.exe	36
PID 2976 wrote to memory of 2360	2976	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe
"C:\Users\Admin\AppData\Local\Temp\f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Showpiece44=Get-Content 'C:\Users\Admin\AppData\Local\twinsomeness\Duperingernes.ing';$Subfluid=$Showpiece44.SubString(24464,3);.$Subfluid($Showpiece44)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\Raadnetanken.exe
    "C:\Users\Admin\AppData\Local\Temp\Raadnetanken.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "kingrow" /t REG_EXPAND_SZ /d "%Dfa% -windowstyle minimized $Celebrer=(Get-ItemProperty -Path 'HKCU:\Overvre\').Fljtets;%Dfa% ($Celebrer)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "kingrow" /t REG_EXPAND_SZ /d "%Dfa% -windowstyle minimized $Celebrer=(Get-ItemProperty -Path 'HKCU:\Overvre\').Fljtets;%Dfa% ($Celebrer)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\twinsomeness\Duperingernes.ing

Filesize
67KB

MD5
f9a33a09287d7157286f38877c443dea

SHA1
b4be7206cf4a5de226c3595bea2d4c2d0cbe1ecc

SHA256
2b2f4b4baea1491aa69ec9829bb56f92f0d0525aed11a1a117c9942d1e70e0d2

SHA512
b3b522b563a2118ae4ab914d63ddc30ef83035ea33642abfcc28b5544167b82124c60feb61fd98186cc3387cab88151a587e85dc894e8a824d9fa7a7bb743252

Download Submit
C:\Users\Admin\AppData\Local\twinsomeness\Kasketters.Phy

Filesize
357KB

MD5
8315fece2c735c00d3bbbeebbe094958

SHA1
28a1732cebbdfff364474622f954c5ae30067bc3

SHA256
3ab4200bc1e7592168a8eab5ad57af8b98dfb538b5934e8ffd0673531ab2b481

SHA512
e0e837e888a6e40c8339fdec8a18dc29ecefadaeef9880b651f3570fa668596cebd3951ba1b14aba6c4cdfa0ce5c2c01dd50cea95911fd5d3ff1eb416d39117c

Download Submit
\Users\Admin\AppData\Local\Temp\Raadnetanken.exe

Filesize
915KB

MD5
68201a6f398b098b4994a9e5f2d4405c

SHA1
5a39054a39b347e9d294bc42927861692bc03b6b

SHA256
f47cab9eface9209fb0f87cc93b605c08f332f7447389edd831ef7e12f69fbb7

SHA512
5fc21c049f18297d1d27857dd433a5df77d1bcbc8ecf7ab796ad91443f406355e70159759e519fee313b136ca63179fe2b81fd2f7cdb47868ce5ef9743db6da8

Download Submit
memory/2196-50-0x00000000018B0000-0x00000000071E4000-memory.dmp

Filesize
89.2MB

Download
memory/2196-27-0x0000000000840000-0x00000000018A2000-memory.dmp

Filesize
16.4MB

Download
memory/2868-18-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-11-0x0000000073B21000-0x0000000073B22000-memory.dmp

Filesize
4KB

Download
memory/2868-14-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-20-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-21-0x00000000064E0000-0x000000000BE14000-memory.dmp

Filesize
89.2MB

Download
memory/2868-22-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-15-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-13-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-12-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads