guloader | 24843276944661cf3b13a9297843687f6b6fa1111d51bca9d73c45fa35bc4c7a

General

Target

Payment copy.vbs
Size

1.6MB
MD5

237ab08466bfa23450bb6266af82667f
SHA1

a82af4e2d1367d941bf7576a83219dc4ef0b6f99
SHA256

24843276944661cf3b13a9297843687f6b6fa1111d51bca9d73c45fa35bc4c7a
SHA512

03bab4a6f5797169fbee90def5f4c51a02f8725afb45a090f53fc3f20d395438a82812b30bd81d24129024142ff3b1c39c2b77c1d7931a02cf5899df72953b71
SSDEEP

24576:2Eeps6dHJFR2QlXTu3AoZBn7aw6ccWtxSX3KAHSh:0s6dt8x7r5cI

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	temp_executable.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	temp_executable.exe
376	temp_executable.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
376	temp_executable.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2772	temp_executable.exe
376	temp_executable.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 376	2772	temp_executable.exe	83

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sorteringsordenens.lnk	temp_executable.exe
File opened for modification	C:\Program Files (x86)\sorteringsordenens.lnk	temp_executable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_executable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_executable.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00080000000233f6-4.dat	nsis_installer_1
behavioral2/files/0x00080000000233f6-4.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe
376	temp_executable.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2772	temp_executable.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2772	2820	WScript.exe	82
PID 2820 wrote to memory of 2772	2820	WScript.exe	82
PID 2820 wrote to memory of 2772	2820	WScript.exe	82
PID 2772 wrote to memory of 376	2772	temp_executable.exe	83
PID 2772 wrote to memory of 376	2772	temp_executable.exe	83
PID 2772 wrote to memory of 376	2772	temp_executable.exe	83
PID 2772 wrote to memory of 376	2772	temp_executable.exe	83
PID 2772 wrote to memory of 376	2772	temp_executable.exe	83

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment copy.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\temp_executable.exe
  "C:\Users\Admin\AppData\Local\Temp\temp_executable.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\temp_executable.exe
    "C:\Users\Admin\AppData\Local\Temp\temp_executable.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sorteringsordenens.lnk

Filesize
906B

MD5
1674657e13c87a73c8a992dadecd903d

SHA1
1d14c9229809f2cdbe1cb121559929f8e9803f84

SHA256
6adb9a693d05e47c5c864c7ee21e650a4d08cb3d8a131bae6291eec3480f3aa9

SHA512
11f40d0577b52738d7708d8052e44927a81ebd0aef4a4162e8e684464a82932d8b028bd8584f278eaa72ad2a3769bc594dac366922a1b00f782ae372060d1446

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA2E8.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_executable.exe

Filesize
1.0MB

MD5
4648a0278bd003c324fcd7e7779dcf99

SHA1
401623540094e2eef531d366d8c155c1d3d72abb

SHA256
49260a07ff0d5c06efdfc3985bcc44d6df5cf2a56810f01c3243684b950264cc

SHA512
198d5db4bb4f612645786c27cdacb26665db4099cd8580091adf86d9d84fc16278d3a87c410912cb4968c630dca1cc14432551673fb7653ad83f28b601720da5

Download Submit
memory/376-303-0x00000000004B0000-0x0000000001704000-memory.dmp

Filesize
18.3MB

Download
memory/376-310-0x00000000004B0000-0x0000000001704000-memory.dmp

Filesize
18.3MB

Download
memory/376-307-0x00000000004B0000-0x0000000001704000-memory.dmp

Filesize
18.3MB

Download
memory/376-297-0x0000000001710000-0x0000000002E75000-memory.dmp

Filesize
23.4MB

Download
memory/376-306-0x00000000004B0000-0x0000000001704000-memory.dmp

Filesize
18.3MB

Download
memory/2772-294-0x0000000002920000-0x0000000004085000-memory.dmp

Filesize
23.4MB

Download
memory/2772-305-0x0000000002920000-0x0000000004085000-memory.dmp

Filesize
23.4MB

Download
memory/2772-299-0x0000000002920000-0x0000000004085000-memory.dmp

Filesize
23.4MB

Download
memory/2772-296-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2772-295-0x0000000077371000-0x0000000077491000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing