guloader | 9b00715d77438200a4f54fa8f47ac17aab0cc166e95fc6737c2a78021b69a64e

General

Target

Oogoninia.exe
Size

618KB
MD5

18fb2cccaa9ac71624eaceada006e938
SHA1

a25055a3b29ce0ee64d7e20eccced0f72ec737db
SHA256

9b00715d77438200a4f54fa8f47ac17aab0cc166e95fc6737c2a78021b69a64e
SHA512

5828d7ee60e66afac8d3650930ed8556adc9693ab32ca872cc16f71382568baa471827cee1162393b7bce2c725965bd92377e7960225e43e00aef87754a2215d
SSDEEP

6144:SyI5s2239XH7ySqrVWOqnBRryl2sIgghQtUnQl8uFfKIn4jma8LIwJzSdfoVLg68:H22tH7L0kel2sInQDlxnPn906OLhsI

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
3056	Oogoninia.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nonsurgically\skmbillede.smr	Oogoninia.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2732	Oogoninia.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3056	Oogoninia.exe
2732	Oogoninia.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 2732	3056	Oogoninia.exe	32

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Fljtenists.ini	Oogoninia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oogoninia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oogoninia.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2732	Oogoninia.exe
2732	Oogoninia.exe
2732	Oogoninia.exe
2732	Oogoninia.exe
2732	Oogoninia.exe
2732	Oogoninia.exe
2732	Oogoninia.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3056	Oogoninia.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2732	3056	Oogoninia.exe	32
PID 3056 wrote to memory of 2732	3056	Oogoninia.exe	32
PID 3056 wrote to memory of 2732	3056	Oogoninia.exe	32
PID 3056 wrote to memory of 2732	3056	Oogoninia.exe	32
PID 3056 wrote to memory of 2732	3056	Oogoninia.exe	32
PID 3056 wrote to memory of 2732	3056	Oogoninia.exe	32

C:\Users\Admin\AppData\Local\Temp\Oogoninia.exe
"C:\Users\Admin\AppData\Local\Temp\Oogoninia.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\Oogoninia.exe
  "C:\Users\Admin\AppData\Local\Temp\Oogoninia.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsjE448.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/2732-40-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2732-14-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2732-16-0x0000000077290000-0x0000000077439000-memory.dmp

Filesize
1.7MB

Download
memory/2732-38-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2732-41-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2732-42-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2732-49-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3056-12-0x0000000077291000-0x0000000077392000-memory.dmp

Filesize
1.0MB

Download
memory/3056-13-0x0000000077290000-0x0000000077439000-memory.dmp

Filesize
1.7MB

Download
memory/3056-15-0x00000000030B0000-0x0000000003B00000-memory.dmp

Filesize
10.3MB

Download
memory/3056-39-0x00000000030B0000-0x0000000003B00000-memory.dmp

Filesize
10.3MB

Download
memory/3056-11-0x00000000030B0000-0x0000000003B00000-memory.dmp

Filesize
10.3MB

Download

Analysis

Sharing