guloader | ecf0f23b171f136fd346cd1943b9992486805e1546a8ce61dc4d855fe71c0820

General

Target

Letter of Intent (LOI) For the Company November 2024 PDF.exe
Size

851KB
MD5

629be165860d2336755de85467756639
SHA1

af1da57d01a00bf942e127cce60fb4208bfd9795
SHA256

e9617a78c93e6d5cdc1087dfa6e9bf9d63406e05b6b01135c189242a7c33718c
SHA512

418f56a804212158033b1ae592cafeb8fa1c5a0d9506eb541beb7762c23ebfe5c61dbac8588c350816c229e9f6d77457e361423146874695976c1b8d9267cbff
SSDEEP

24576:ZNAsPMh+Cdd8509puHmATonQ1htKzWbGWO:dPMvA509pkonAhtHbnO

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Loads dropped DLL 2 IoCs

Processes:

Letter of Intent (LOI) For the Company November 2024 PDF.exe

pid process

2768 Letter of Intent (LOI) For the Company November 2024 PDF.exe
2768 Letter of Intent (LOI) For the Company November 2024 PDF.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Letter of Intent (LOI) For the Company November 2024 PDF.exeLetter of Intent (LOI) For the Company November 2024 PDF.exe

pid process

2768 Letter of Intent (LOI) For the Company November 2024 PDF.exe
2672 Letter of Intent (LOI) For the Company November 2024 PDF.exe

pid	process
2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe
2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe

pid	process
2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe
2672	Letter of Intent (LOI) For the Company November 2024 PDF.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Letter of Intent (LOI) For the Company November 2024 PDF.exe

description	pid	process	target process
PID 2768 set thread context of 2672	2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe	Letter of Intent (LOI) For the Company November 2024 PDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Letter of Intent (LOI) For the Company November 2024 PDF.exeLetter of Intent (LOI) For the Company November 2024 PDF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Letter of Intent (LOI) For the Company November 2024 PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Letter of Intent (LOI) For the Company November 2024 PDF.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Letter of Intent (LOI) For the Company November 2024 PDF.exe

pid process

2768 Letter of Intent (LOI) For the Company November 2024 PDF.exe

pid	process
2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Letter of Intent (LOI) For the Company November 2024 PDF.exe

description	pid	process	target process
PID 2768 wrote to memory of 2672	2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe	Letter of Intent (LOI) For the Company November 2024 PDF.exe
PID 2768 wrote to memory of 2672	2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe	Letter of Intent (LOI) For the Company November 2024 PDF.exe
PID 2768 wrote to memory of 2672	2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe	Letter of Intent (LOI) For the Company November 2024 PDF.exe
PID 2768 wrote to memory of 2672	2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe	Letter of Intent (LOI) For the Company November 2024 PDF.exe
PID 2768 wrote to memory of 2672	2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe	Letter of Intent (LOI) For the Company November 2024 PDF.exe
PID 2768 wrote to memory of 2672	2768	Letter of Intent (LOI) For the Company November 2024 PDF.exe	Letter of Intent (LOI) For the Company November 2024 PDF.exe

C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\Letter of Intent (LOI) For the Company November 2024 PDF.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BooConf.ini

Filesize
45B

MD5
8b9fc0443d7e48145e2d4b37afb2d37b

SHA1
64a5718a478a38ac262d2e46da81d0e88c122a0f

SHA256
4f743978ead44260f895c983689d718e31ca826161c447d205021a9d3e010afa

SHA512
5126da1d29f662465241c8b51b95783df3f88c8feb8bb1b65dcf354738c48aab4bfb6c0035dfe6b40fa03ae5aaba8f72f1c31343aec7d4edb9c6ebcc773cc3d3

Download Submit
\Users\Admin\AppData\Local\Temp\nso693F.tmp\System.dll

Filesize
11KB

MD5
be2621a78a13a56cf09e00dd98488360

SHA1
75f0539dc6af200a07cdb056cddddec595c6cfd2

SHA256
852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5

SHA512
b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1

Download Submit
memory/2672-37-0x0000000076D60000-0x0000000076F09000-memory.dmp

Filesize
1.7MB

Download
memory/2672-35-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2672-38-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2768-31-0x0000000003020000-0x00000000045C5000-memory.dmp

Filesize
21.6MB

Download
memory/2768-32-0x0000000003020000-0x00000000045C5000-memory.dmp

Filesize
21.6MB

Download
memory/2768-33-0x0000000076D61000-0x0000000076E62000-memory.dmp

Filesize
1.0MB

Download
memory/2768-34-0x0000000076D60000-0x0000000076F09000-memory.dmp

Filesize
1.7MB

Download
memory/2768-36-0x0000000003020000-0x00000000045C5000-memory.dmp

Filesize
21.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads