guloader | 49260a07ff0d5c06efdfc3985bcc44d6df5cf2a56810f01c3243684b950264cc

General

Target

1116543711892424.scr
Size

1.0MB
MD5

4648a0278bd003c324fcd7e7779dcf99
SHA1

401623540094e2eef531d366d8c155c1d3d72abb
SHA256

49260a07ff0d5c06efdfc3985bcc44d6df5cf2a56810f01c3243684b950264cc
SHA512

198d5db4bb4f612645786c27cdacb26665db4099cd8580091adf86d9d84fc16278d3a87c410912cb4968c630dca1cc14432551673fb7653ad83f28b601720da5
SSDEEP

12288:x9XMnptEWw7TAIh1LSw84bjZgyrMNAzP6RtRQXl51KBkpw8+QZ0:rcnsWw7sIh1uQba4mRjQVP2UkV

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
2032	1116543711892424.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2032	1116543711892424.scr
2768	1116543711892424.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 2768	2032	1116543711892424.scr	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sorteringsordenens.lnk	1116543711892424.scr
File opened for modification	C:\Program Files (x86)\sorteringsordenens.lnk	1116543711892424.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1116543711892424.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1116543711892424.scr

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1116543711892424.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1116543711892424.scr

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2032	1116543711892424.scr

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2768	2032	1116543711892424.scr	28
PID 2032 wrote to memory of 2768	2032	1116543711892424.scr	28
PID 2032 wrote to memory of 2768	2032	1116543711892424.scr	28
PID 2032 wrote to memory of 2768	2032	1116543711892424.scr	28
PID 2032 wrote to memory of 2768	2032	1116543711892424.scr	28
PID 2032 wrote to memory of 2768	2032	1116543711892424.scr	28

C:\Users\Admin\AppData\Local\Temp\1116543711892424.scr
"C:\Users\Admin\AppData\Local\Temp\1116543711892424.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\1116543711892424.scr
  "C:\Users\Admin\AppData\Local\Temp\1116543711892424.scr" /S
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sorteringsordenens.lnk

Filesize
890B

MD5
6e63de5df07910ccd28e328a97551f22

SHA1
e8ae1dd85b74163b8cce34c9818d1363bd902bf8

SHA256
9b553a77d8c0bf55cb938c7b92b80fbfe06c56b701a9b8e36c07d2ac0ae198e9

SHA512
7781a0a745f550751182ea4f229a41044270bce3408a82a09e3fe7671c99131eafdddf4bc30028835eb46b5011237e6284fcc69f7ea2dab2668429184e7948a6

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5D0F.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
memory/2032-283-0x0000000002C60000-0x00000000043C5000-memory.dmp

Filesize
23.4MB

Download
memory/2032-284-0x0000000076FC1000-0x00000000770C2000-memory.dmp

Filesize
1.0MB

Download
memory/2032-285-0x0000000076FC0000-0x0000000077169000-memory.dmp

Filesize
1.7MB

Download
memory/2032-286-0x0000000002C60000-0x00000000043C5000-memory.dmp

Filesize
23.4MB

Download
memory/2032-310-0x0000000002C60000-0x00000000043C5000-memory.dmp

Filesize
23.4MB

Download
memory/2768-287-0x0000000001520000-0x0000000002C85000-memory.dmp

Filesize
23.4MB

Download
memory/2768-288-0x0000000076FC0000-0x0000000077169000-memory.dmp

Filesize
1.7MB

Download
memory/2768-304-0x00000000004B0000-0x0000000001512000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing