guloader | 093d0eb173b4ced016c4fc7171322b7034c6a4346d6aae204dceeb8ed7e24106

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fredskorps102.exe
Size

798KB
MD5

e9b0955c25a1c27f35cd5107cbf1ccbe
SHA1

b9bf0e900b466943c51fc699f32da0f2252a20c2
SHA256

093d0eb173b4ced016c4fc7171322b7034c6a4346d6aae204dceeb8ed7e24106
SHA512

50d3e58ca7b9aab787abab6214fdc650e3950f17bb2d39ed0a87ae9c666ff94696b81a67a1c4b4d9da776731cdfe2757089ddce7470f1821a8ad63a7916f1475
SSDEEP

12288:A5WxQI/FYodPIwxso6YF/K8MIwlJ81XK1dggHjaWgGUVjJICMrdz0MeJa:AoxQItnPPDlK8o11d9+WgGUxJ+dze

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
1768	Fredskorps102.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	drive.google.com
18	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4924	Fredskorps102.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1768	Fredskorps102.exe
4924	Fredskorps102.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 4924	1768	Fredskorps102.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fredskorps102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fredskorps102.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe
4924	Fredskorps102.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1768	Fredskorps102.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 4924	1768	Fredskorps102.exe	85
PID 1768 wrote to memory of 4924	1768	Fredskorps102.exe	85
PID 1768 wrote to memory of 4924	1768	Fredskorps102.exe	85
PID 1768 wrote to memory of 4924	1768	Fredskorps102.exe	85
PID 1768 wrote to memory of 4924	1768	Fredskorps102.exe	85

C:\Users\Admin\AppData\Local\Temp\Fredskorps102.exe
"C:\Users\Admin\AppData\Local\Temp\Fredskorps102.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\Fredskorps102.exe
  "C:\Users\Admin\AppData\Local\Temp\Fredskorps102.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsvBA0B.tmp\System.dll

Filesize
11KB

MD5
e23600029d1b09bdb1d422fb4e46f5a6

SHA1
5d64a2f6a257a98a689a3db9a087a0fd5f180096

SHA256
7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38

SHA512
c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac

Download Submit
memory/1768-14-0x00000000044F0000-0x0000000006884000-memory.dmp

Filesize
35.6MB

Download
memory/1768-15-0x00000000044F0000-0x0000000006884000-memory.dmp

Filesize
35.6MB

Download
memory/1768-16-0x0000000077711000-0x0000000077831000-memory.dmp

Filesize
1.1MB

Download
memory/1768-17-0x0000000077711000-0x0000000077831000-memory.dmp

Filesize
1.1MB

Download
memory/1768-18-0x0000000074575000-0x0000000074576000-memory.dmp

Filesize
4KB

Download
memory/1768-36-0x00000000044F0000-0x0000000006884000-memory.dmp

Filesize
35.6MB

Download
memory/4924-24-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4924-20-0x0000000001660000-0x00000000039F4000-memory.dmp

Filesize
35.6MB

Download
memory/4924-34-0x0000000001660000-0x00000000039F4000-memory.dmp

Filesize
35.6MB

Download
memory/4924-35-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4924-19-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4924-37-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4924-38-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4924-41-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4924-42-0x0000000001660000-0x00000000039F4000-memory.dmp

Filesize
35.6MB

Download