guloader | 1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052

General

Target

1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052N.exe
Size

787KB
MD5

2a58425293da7dfb6b538be1a0938ae0
SHA1

f0c77f6e7b0aa956a69781cee03f178993c6b2b4
SHA256

1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052
SHA512

a520036a55b9cb63a9e5d1665378d6bf1f4c6922b1c8302e1e696c1d7e1e11d166d173435a8bf33a0c1f05826dee1e061d4d110459037c156cba29294d18f9ad
SSDEEP

12288:ZtSfgqcOZxX5BgvFnV6IBRudkPIUqMzABEcdmBIG8991x2HqMqFK1yoI:LSfgeXIvXDlI4wEcsBIFxwqFK1yoI

Score

10^/10

guloader discovery downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bkcy = "%Nastaliq191% -windowstyle minimized $Subeditorial=(Get-ItemProperty -Path 'HKCU:\\Tilsvar\\').spyddenes;%Nastaliq191% ($Subeditorial)"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2812	powershell.exe
2124	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 2124	2812	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052N.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2884	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2812	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2812	1904	1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052N.exe	31
PID 1904 wrote to memory of 2812	1904	1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052N.exe	31
PID 1904 wrote to memory of 2812	1904	1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052N.exe	31
PID 1904 wrote to memory of 2812	1904	1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052N.exe	31
PID 2812 wrote to memory of 2124	2812	powershell.exe	34
PID 2812 wrote to memory of 2124	2812	powershell.exe	34
PID 2812 wrote to memory of 2124	2812	powershell.exe	34
PID 2812 wrote to memory of 2124	2812	powershell.exe	34
PID 2812 wrote to memory of 2124	2812	powershell.exe	34
PID 2812 wrote to memory of 2124	2812	powershell.exe	34
PID 2124 wrote to memory of 1884	2124	wabmig.exe	35
PID 2124 wrote to memory of 1884	2124	wabmig.exe	35
PID 2124 wrote to memory of 1884	2124	wabmig.exe	35
PID 2124 wrote to memory of 1884	2124	wabmig.exe	35
PID 1884 wrote to memory of 2884	1884	cmd.exe	37
PID 1884 wrote to memory of 2884	1884	cmd.exe	37
PID 1884 wrote to memory of 2884	1884	cmd.exe	37
PID 1884 wrote to memory of 2884	1884	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052N.exe
"C:\Users\Admin\AppData\Local\Temp\1c93a68eefd2ba3fc952de91d44a3e95321819e0977ecd5e7dfb33ea47bfb052N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Mangelsygdommen60=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Travbanes\ahornsukker\diplospondylism\Maatterne\Blodkrft.bom';$Haandboldkamp=$Mangelsygdommen60.SubString(34049,3);.$Haandboldkamp($Mangelsygdommen60) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files (x86)\windows mail\wabmig.exe
    "C:\Program Files (x86)\windows mail\wabmig.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bkcy" /t REG_EXPAND_SZ /d "%Nastaliq191% -windowstyle minimized $Subeditorial=(Get-ItemProperty -Path 'HKCU:\Tilsvar\').spyddenes;%Nastaliq191% ($Subeditorial)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bkcy" /t REG_EXPAND_SZ /d "%Nastaliq191% -windowstyle minimized $Subeditorial=(Get-ItemProperty -Path 'HKCU:\Tilsvar\').spyddenes;%Nastaliq191% ($Subeditorial)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Travbanes\ahornsukker\diplospondylism\Forargelsens255.Ked

Filesize
330KB

MD5
0528c554e01f60a16333e6af6af4f61e

SHA1
84bd228765851e609d088e25f9058ec10b89cde5

SHA256
89917a5b81b3c365eb2706d0dadc9a80728bfae69939eca783bb90f14ef10b75

SHA512
d9f201240451f9050f7fdf8cb77a8eb6d4938bd206bed150cfdf280ab4a49717e30fcea3143732e205e39e378f9462f92454366852acf240e61f63dd66c507e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Travbanes\ahornsukker\diplospondylism\Maatterne\Blodkrft.bom

Filesize
69KB

MD5
0dca59725c37090c84e951f4e5e366bd

SHA1
05ae81b9fbe45b0a77f7d556bd013554224a83a7

SHA256
2812f694abf2e6417d92d7150c05c8d343dc29520f23c0248582b568310cdca0

SHA512
8817ae6e86d4bbceb55b64b3371f4c92775923a9d7f2b28d8f741c625517837bf4c582ecb42c25ab315a80dd841fc2b4a2fc060566b4b8b8eeccba20c732ea42

Download Submit
memory/2124-24-0x0000000000310000-0x0000000001372000-memory.dmp

Filesize
16.4MB

Download
memory/2124-23-0x0000000001380000-0x000000000662C000-memory.dmp

Filesize
82.7MB

Download
memory/2812-18-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-14-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-11-0x00000000738B1000-0x00000000738B2000-memory.dmp

Filesize
4KB

Download
memory/2812-15-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-20-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-21-0x0000000006790000-0x000000000BA3C000-memory.dmp

Filesize
82.7MB

Download
memory/2812-22-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-13-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-12-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads