Malware Analysis Report

2024-11-15 10:21

Sample ID 241106-r4qmss1naz
Target 5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe
SHA256 5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0
Tags
discovery guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0

Threat Level: Known bad

The file 5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader

Guloader family

Guloader,Cloudeye

Loads dropped DLL

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 14:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-06 14:45

Reported

2024-11-06 14:47

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4608 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4608 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4608 wrote to memory of 2724 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2724 -ip 2724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 14:45

Reported

2024-11-06 14:47

Platform

win7-20240903-en

Max time kernel

9s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\customization.rom C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\primy.ini C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe

"C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe"

Network

N/A

Files

C:\Windows\Resources\primy.ini

MD5 76d9175a3db7407eb0bfc3c07ddcd9d2
SHA1 72071127e9a44935cb02650ed715ccaf6a8f8418
SHA256 1f7119996dd17af05bf05e497104715bbbc3909676afa4329fbd59502be1a1a5
SHA512 5032dab71e70a4bd1dad2f5cf9380e0097be7993bc46886fed6e4bdd8781f2b10d31338d90d0dc5804665bda2cbfe93f1172250e1a8ab7c9118baf9f156e3c69

\Users\Admin\AppData\Local\Temp\nsyC4A7.tmp\System.dll

MD5 192639861e3dc2dc5c08bb8f8c7260d5
SHA1 58d30e460609e22fa0098bc27d928b689ef9af78
SHA256 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

memory/1620-23239-0x00000000031F0000-0x0000000003C59000-memory.dmp

memory/1620-23242-0x00000000031F0000-0x0000000003C59000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 14:45

Reported

2024-11-06 14:47

Platform

win10v2004-20241007-en

Max time kernel

13s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\customization.rom C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\primy.ini C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe

"C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe"

C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe

"C:\Users\Admin\AppData\Local\Temp\5fb792bb1793ff9314b4a3a4d3f8e267f9b833ae9467b42f0bd7df012de5d0f0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 kmsaksesuar.com udp
US 44.28.239.165:443 kmsaksesuar.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 44.28.239.165:443 kmsaksesuar.com tcp
US 44.28.239.165:443 kmsaksesuar.com tcp
US 44.28.239.165:443 kmsaksesuar.com tcp
US 44.28.239.165:443 kmsaksesuar.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.28.239.165:443 kmsaksesuar.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 44.28.239.165:443 kmsaksesuar.com tcp
US 44.28.239.165:443 kmsaksesuar.com tcp
US 44.28.239.165:443 kmsaksesuar.com tcp

Files

C:\Windows\Resources\primy.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nsa8629.tmp\System.dll

MD5 192639861e3dc2dc5c08bb8f8c7260d5
SHA1 58d30e460609e22fa0098bc27d928b689ef9af78
SHA256 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

memory/4324-23237-0x0000000002F20000-0x0000000003989000-memory.dmp

memory/4324-23238-0x0000000077BE1000-0x0000000077D01000-memory.dmp

memory/4324-23239-0x00000000748D5000-0x00000000748D6000-memory.dmp

memory/4324-23240-0x0000000002F20000-0x0000000003989000-memory.dmp

memory/3660-23241-0x0000000000400000-0x0000000001654000-memory.dmp

memory/3660-23242-0x0000000001660000-0x00000000020C9000-memory.dmp

memory/3660-23243-0x0000000077C68000-0x0000000077C69000-memory.dmp

memory/3660-23244-0x0000000077C85000-0x0000000077C86000-memory.dmp

memory/3660-23245-0x0000000001660000-0x00000000020C9000-memory.dmp

memory/3660-23247-0x0000000077BE1000-0x0000000077D01000-memory.dmp

memory/3660-23246-0x0000000000400000-0x0000000001654000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-06 14:45

Reported

2024-11-06 14:47

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 220

Network

N/A

Files

N/A