Malware Analysis Report

2024-12-06 03:19

Sample ID 241028-dmb67awpdk
Target f16104254e8fed34ed61afd2463d4c1f25e71f6758d92c87ce48a696d6da50a0
SHA256 f16104254e8fed34ed61afd2463d4c1f25e71f6758d92c87ce48a696d6da50a0
Tags
discovery guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f16104254e8fed34ed61afd2463d4c1f25e71f6758d92c87ce48a696d6da50a0

Threat Level: Known bad

The file f16104254e8fed34ed61afd2463d4c1f25e71f6758d92c87ce48a696d6da50a0 was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader

Guloader,Cloudeye

Guloader family

Loads dropped DLL

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 03:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 03:07

Reported

2024-10-28 03:09

Platform

win7-20241010-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe

"C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 524

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nstB76E.tmp\System.dll

MD5 c61501f07cf09bcfcdfe4cc8a1ebbbe3
SHA1 e8581b4359651b857646ae727efaaef372daa0fc
SHA256 7e75f148920db6300dad5a1c12fd5d6eecc95698a310a01311181bc98a704d55
SHA512 9837abe7ec3fa0f1f5193968d12b7ca1893e34eddf628db1f7ab6715b4de339231f0ec1b5f0f86c767f5a30c40da5c4a95e99deedd22eece93cb0d00539aad24

C:\Users\Admin\AppData\Local\Temp\BooConf.ini

MD5 8b9fc0443d7e48145e2d4b37afb2d37b
SHA1 64a5718a478a38ac262d2e46da81d0e88c122a0f
SHA256 4f743978ead44260f895c983689d718e31ca826161c447d205021a9d3e010afa
SHA512 5126da1d29f662465241c8b51b95783df3f88c8feb8bb1b65dcf354738c48aab4bfb6c0035dfe6b40fa03ae5aaba8f72f1c31343aec7d4edb9c6ebcc773cc3d3

memory/1304-27-0x0000000003A60000-0x0000000005D26000-memory.dmp

memory/1304-28-0x0000000003A60000-0x0000000005D26000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-28 03:07

Reported

2024-10-28 03:09

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe

"C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe"

C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe

"C:\Users\Admin\AppData\Local\Temp\FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 www.evolutioncosmetics.com udp
CA 69.27.100.185:443 www.evolutioncosmetics.com tcp
US 8.8.8.8:53 185.100.27.69.in-addr.arpa udp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.18.190.80:80 r10.o.lencr.org tcp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse9E25.tmp\System.dll

MD5 c61501f07cf09bcfcdfe4cc8a1ebbbe3
SHA1 e8581b4359651b857646ae727efaaef372daa0fc
SHA256 7e75f148920db6300dad5a1c12fd5d6eecc95698a310a01311181bc98a704d55
SHA512 9837abe7ec3fa0f1f5193968d12b7ca1893e34eddf628db1f7ab6715b4de339231f0ec1b5f0f86c767f5a30c40da5c4a95e99deedd22eece93cb0d00539aad24

C:\Users\Admin\AppData\Local\Temp\BooConf.ini

MD5 8b9fc0443d7e48145e2d4b37afb2d37b
SHA1 64a5718a478a38ac262d2e46da81d0e88c122a0f
SHA256 4f743978ead44260f895c983689d718e31ca826161c447d205021a9d3e010afa
SHA512 5126da1d29f662465241c8b51b95783df3f88c8feb8bb1b65dcf354738c48aab4bfb6c0035dfe6b40fa03ae5aaba8f72f1c31343aec7d4edb9c6ebcc773cc3d3

memory/2596-25-0x0000000004530000-0x00000000067F6000-memory.dmp

memory/2596-26-0x0000000077751000-0x0000000077871000-memory.dmp

memory/2596-27-0x00000000745B5000-0x00000000745B6000-memory.dmp

memory/2596-28-0x0000000004530000-0x00000000067F6000-memory.dmp

memory/4792-29-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4792-30-0x0000000001660000-0x0000000003926000-memory.dmp

memory/4792-37-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4792-38-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4792-39-0x0000000001660000-0x0000000003926000-memory.dmp

memory/4792-40-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4792-44-0x0000000000400000-0x0000000001654000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-28 03:07

Reported

2024-10-28 03:09

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-28 03:07

Reported

2024-10-28 03:09

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3980 wrote to memory of 4828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3980 wrote to memory of 4828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3980 wrote to memory of 4828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4828 -ip 4828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A