Malware Analysis Report

2024-11-15 10:22

Sample ID 241106-kgb3kaxdpn
Target 643c1b8444da8c89fa83aed917307b6c.bat
SHA256 137742d1bb597a2818431b1634f38a9d93069afc1657955ef7144c152eb26f86
Tags
discovery guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

137742d1bb597a2818431b1634f38a9d93069afc1657955ef7144c152eb26f86

Threat Level: Known bad

The file 643c1b8444da8c89fa83aed917307b6c.bat was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader

Guloader family

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 08:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 08:33

Reported

2024-11-06 08:36

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe

"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 524

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso9B95.tmp\System.dll

MD5 4ca4fd3fbefa2f6e87e6e9ee87d1c0b3
SHA1 7cdbeb5ff2b14b86af04e075d0ca651183ea5df4
SHA256 d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57
SHA512 cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8

\Users\Admin\AppData\Local\Temp\nso9B95.tmp\LangDLL.dll

MD5 61f69388ae89d61a3d838cbcf81b4f82
SHA1 e595c0236a373a6ac79c334dc183ee03ca8f8ecd
SHA256 d65875bb4bc121f81384d55fde90dd9eb9ad1878cd8a02bcb5c8a933c3987a61
SHA512 21d34738cc21c1ef6b0ef1ac53659cdab224bbc20ea983f9a952a2cb4b5785a07bb18c0acf22a0d12a94795e1fc6d314f442c923bb1a93b675edac8c6aacf469

memory/2452-35-0x0000000003F70000-0x000000000500E000-memory.dmp

memory/2452-36-0x0000000003F70000-0x000000000500E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 08:33

Reported

2024-11-06 08:36

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2848 set thread context of 2680 N/A C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe

"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"

C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe

"C:\Users\Admin\AppData\Local\Temp\643c1b8444da8c89fa83aed917307b6c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2680 -ip 2680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1052

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 iw.achulapo.ru.com udp
DE 100.42.180.70:80 iw.achulapo.ru.com tcp
US 8.8.8.8:53 70.180.42.100.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsaB9DB.tmp\System.dll

MD5 4ca4fd3fbefa2f6e87e6e9ee87d1c0b3
SHA1 7cdbeb5ff2b14b86af04e075d0ca651183ea5df4
SHA256 d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57
SHA512 cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8

C:\Users\Admin\AppData\Local\Temp\nsaB9DB.tmp\LangDLL.dll

MD5 61f69388ae89d61a3d838cbcf81b4f82
SHA1 e595c0236a373a6ac79c334dc183ee03ca8f8ecd
SHA256 d65875bb4bc121f81384d55fde90dd9eb9ad1878cd8a02bcb5c8a933c3987a61
SHA512 21d34738cc21c1ef6b0ef1ac53659cdab224bbc20ea983f9a952a2cb4b5785a07bb18c0acf22a0d12a94795e1fc6d314f442c923bb1a93b675edac8c6aacf469

memory/2848-29-0x0000000004A20000-0x0000000005ABE000-memory.dmp

memory/2848-30-0x0000000077241000-0x0000000077361000-memory.dmp

memory/2848-32-0x0000000004A20000-0x0000000005ABE000-memory.dmp

memory/2848-31-0x00000000740A4000-0x00000000740A5000-memory.dmp

memory/2848-33-0x0000000004A20000-0x0000000005ABE000-memory.dmp

memory/2680-34-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2680-35-0x0000000001660000-0x00000000026FE000-memory.dmp

memory/2680-36-0x00000000772C8000-0x00000000772C9000-memory.dmp

memory/2680-37-0x00000000772E5000-0x00000000772E6000-memory.dmp

memory/2680-39-0x0000000000401000-0x0000000000404000-memory.dmp

memory/2680-38-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2680-40-0x0000000001660000-0x00000000026FE000-memory.dmp

memory/2680-41-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2680-42-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2680-43-0x0000000077241000-0x0000000077361000-memory.dmp

memory/2680-44-0x0000000000401000-0x0000000000404000-memory.dmp

memory/2680-45-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2680-46-0x0000000000400000-0x0000000001654000-memory.dmp

memory/2680-47-0x0000000000400000-0x0000000001654000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-06 08:33

Reported

2024-11-06 08:36

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-06 08:33

Reported

2024-11-06 08:36

Platform

win10v2004-20241007-en

Max time kernel

130s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-06 08:33

Reported

2024-11-06 08:36

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-06 08:33

Reported

2024-11-06 08:36

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 3300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4284 wrote to memory of 3300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4284 wrote to memory of 3300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A