Malware Analysis Report

2024-11-13 17:38

Sample ID 241107-chxfwsvpdr
Target 0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe
SHA256 0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441
Tags
discovery guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441

Threat Level: Known bad

The file 0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader

Guloader,Cloudeye

Guloader family

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 02:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-07 02:05

Reported

2024-11-07 02:07

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 4428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 4428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3060 wrote to memory of 4428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4428 -ip 4428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 02:05

Reported

2024-11-07 02:07

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe

"C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 524

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsoB701.tmp\System.dll

MD5 4ca4fd3fbefa2f6e87e6e9ee87d1c0b3
SHA1 7cdbeb5ff2b14b86af04e075d0ca651183ea5df4
SHA256 d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57
SHA512 cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8

\Users\Admin\AppData\Local\Temp\nsoB701.tmp\LangDLL.dll

MD5 61f69388ae89d61a3d838cbcf81b4f82
SHA1 e595c0236a373a6ac79c334dc183ee03ca8f8ecd
SHA256 d65875bb4bc121f81384d55fde90dd9eb9ad1878cd8a02bcb5c8a933c3987a61
SHA512 21d34738cc21c1ef6b0ef1ac53659cdab224bbc20ea983f9a952a2cb4b5785a07bb18c0acf22a0d12a94795e1fc6d314f442c923bb1a93b675edac8c6aacf469

memory/2600-35-0x00000000041B0000-0x0000000005099000-memory.dmp

memory/2600-36-0x00000000041B0000-0x0000000005099000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 02:05

Reported

2024-11-07 02:07

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe

"C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe"

C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe

"C:\Users\Admin\AppData\Local\Temp\0c90b170c457fe4656140750bef8331f0f7c195bf3acb378f8ec80a6a42a7441.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3748 -ip 3748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1228

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 iw.achulapo.ru.com udp
DE 100.42.180.70:80 iw.achulapo.ru.com tcp
US 8.8.8.8:53 70.180.42.100.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsvC758.tmp\System.dll

MD5 4ca4fd3fbefa2f6e87e6e9ee87d1c0b3
SHA1 7cdbeb5ff2b14b86af04e075d0ca651183ea5df4
SHA256 d09a8b3ade4ba4b7292c0b3da1bcb4b6c6e2012e0ccfd5e029a54af73a9e1b57
SHA512 cf0f415a97fdc74568297fed4f1295d0d2aef487a308141144ef8d5f04c669ef4795c273e745b81065429adde113fcdedf4c22717a7aeef60fdcd8d4d46f97f8

C:\Users\Admin\AppData\Local\Temp\nsvC758.tmp\LangDLL.dll

MD5 61f69388ae89d61a3d838cbcf81b4f82
SHA1 e595c0236a373a6ac79c334dc183ee03ca8f8ecd
SHA256 d65875bb4bc121f81384d55fde90dd9eb9ad1878cd8a02bcb5c8a933c3987a61
SHA512 21d34738cc21c1ef6b0ef1ac53659cdab224bbc20ea983f9a952a2cb4b5785a07bb18c0acf22a0d12a94795e1fc6d314f442c923bb1a93b675edac8c6aacf469

memory/1804-29-0x0000000004A20000-0x0000000005909000-memory.dmp

memory/1804-30-0x0000000076FE1000-0x0000000077101000-memory.dmp

memory/1804-32-0x0000000073E44000-0x0000000073E45000-memory.dmp

memory/1804-31-0x0000000004A20000-0x0000000005909000-memory.dmp

memory/1804-33-0x0000000004A20000-0x0000000005909000-memory.dmp

memory/3748-34-0x0000000000400000-0x0000000001654000-memory.dmp

memory/3748-35-0x0000000001660000-0x0000000002549000-memory.dmp

memory/3748-36-0x0000000077068000-0x0000000077069000-memory.dmp

memory/3748-37-0x0000000077085000-0x0000000077086000-memory.dmp

memory/3748-38-0x0000000000400000-0x0000000001654000-memory.dmp

memory/3748-40-0x0000000000401000-0x0000000000404000-memory.dmp

memory/3748-39-0x0000000001660000-0x0000000002549000-memory.dmp

memory/3748-41-0x0000000000400000-0x0000000001654000-memory.dmp

memory/3748-42-0x0000000000400000-0x0000000001654000-memory.dmp

memory/3748-43-0x0000000076FE1000-0x0000000077101000-memory.dmp

memory/3748-44-0x0000000000401000-0x0000000000404000-memory.dmp

memory/3748-45-0x0000000000400000-0x0000000001654000-memory.dmp

memory/3748-46-0x0000000000400000-0x0000000001654000-memory.dmp

memory/3748-47-0x0000000000400000-0x0000000001654000-memory.dmp

memory/3748-48-0x0000000001660000-0x0000000002549000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 02:05

Reported

2024-11-07 02:07

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 02:05

Reported

2024-11-07 02:07

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1084 wrote to memory of 544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1084 wrote to memory of 544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-07 02:05

Reported

2024-11-07 02:07

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 220

Network

N/A

Files

N/A