guloader | 2287a97cf2d6372b8d60b9b1bb7d3d1b712605b33993868724ad8402261785e5

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bestellung.vbs
Size

1.1MB
MD5

fb74f970b27703e29d97dda20ce839fc
SHA1

bb60d1e8a7d4ebee9651f97cf8d4b77eba3d4f9d
SHA256

2287a97cf2d6372b8d60b9b1bb7d3d1b712605b33993868724ad8402261785e5
SHA512

32e715fba256862bc0e39eab9f248315d5d9048a0f41f3a8fa9f2e0b3ef656a75f144093b80bbe76527cd0de90cb33df63f9df2c9f51719b941f8da437cd715c
SSDEEP

12288:suQGQZybQ9+p/0ebOfesj7KCsGXwbFHAhqGAYZEup/RY9VzBoJhTtxlkPpmkdmg6:sukcT/mxxIFHZhoY9VzBoJp4Vmwa

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2924	temp_file.exe

Loads dropped DLL 3 IoCs

pid	Process
2924	temp_file.exe
2924	temp_file.exe
5012	temp_file.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2924	temp_file.exe
5012	temp_file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 5012	2924	temp_file.exe	99

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\anderssons\svrdliljernes.elu	temp_file.exe
File opened for modification	C:\Windows\resources\0409\Landgafol76\bojanerne.ini	temp_file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_file.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2924	temp_file.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 2924	5104	WScript.exe	94
PID 5104 wrote to memory of 2924	5104	WScript.exe	94
PID 5104 wrote to memory of 2924	5104	WScript.exe	94
PID 2924 wrote to memory of 5012	2924	temp_file.exe	99
PID 2924 wrote to memory of 5012	2924	temp_file.exe	99
PID 2924 wrote to memory of 5012	2924	temp_file.exe	99
PID 2924 wrote to memory of 5012	2924	temp_file.exe	99
PID 2924 wrote to memory of 5012	2924	temp_file.exe	99

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bestellung.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\temp_file.exe
  "C:\Users\Admin\AppData\Local\Temp\temp_file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\temp_file.exe
    "C:\Users\Admin\AppData\Local\Temp\temp_file.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nslAFD9.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_file.exe

Filesize
687KB

MD5
2031608d4bafa45c4b0bc75d8e807204

SHA1
8719b0608a8d814cc81a437e105bafd8622e76d5

SHA256
fc73b5466e3c2c0d5d9dc70a8b210eb617ac2fdf74a8caee778d57fdb197690d

SHA512
f87ff9056ef512a51d7a162ac6b10aee06e90c753c9d30936d2434e78bb3242f796410981e7bc12ef2a7db4a6841422a8736128dadc07eaf0b8cc3c5a132678c

Download Submit
memory/2924-22-0x00000000033B0000-0x0000000005CCF000-memory.dmp

Filesize
41.1MB

Download
memory/2924-23-0x0000000073F25000-0x0000000073F26000-memory.dmp

Filesize
4KB

Download
memory/2924-26-0x00000000033B0000-0x0000000005CCF000-memory.dmp

Filesize
41.1MB

Download
memory/5012-25-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/5012-36-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download