guloader | bee9b9e032ae0f79187a3f2944efa649041840d519a668952a2c3e5b221a1915

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura0292091162024Urbia.pdf..exe
Size

809KB
MD5

53e2b2ad9748d98c82d9b894f0fa5bda
SHA1

6d5b7bc033210b438b98d26380746496e0f231e1
SHA256

bee9b9e032ae0f79187a3f2944efa649041840d519a668952a2c3e5b221a1915
SHA512

196b1903f8be2d250480e46af37ec5b57d46d331caa1569dd53aef4c6e0132f691f7a3cc73bd9e20b8b9009feb34dd71766ea242e38e34f6c74bba7602798146
SSDEEP

24576:mHhe68g9nH0nObU0fwBcvqjXInHXUF/GmEZet2gkA:mBmgtH0nmCkkIhgNkA

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
1856	Deliberalize.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	drive.google.com
22	drive.google.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mycetophilidae\Megalethoscope.ini	Factura0292091162024Urbia.pdf..exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4540	powershell.exe
1856	Deliberalize.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\opstalt.ini	Factura0292091162024Urbia.pdf..exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\tekkkenerne.laa	Factura0292091162024Urbia.pdf..exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4540	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Factura0292091162024Urbia.pdf..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deliberalize.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0003000000022b11-180.dat	nsis_installer_1
behavioral2/files/0x0003000000022b11-180.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4540	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeIncreaseQuotaPrivilege	4540	powershell.exe
Token: SeSecurityPrivilege	4540	powershell.exe
Token: SeTakeOwnershipPrivilege	4540	powershell.exe
Token: SeLoadDriverPrivilege	4540	powershell.exe
Token: SeSystemProfilePrivilege	4540	powershell.exe
Token: SeSystemtimePrivilege	4540	powershell.exe
Token: SeProfSingleProcessPrivilege	4540	powershell.exe
Token: SeIncBasePriorityPrivilege	4540	powershell.exe
Token: SeCreatePagefilePrivilege	4540	powershell.exe
Token: SeBackupPrivilege	4540	powershell.exe
Token: SeRestorePrivilege	4540	powershell.exe
Token: SeShutdownPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeSystemEnvironmentPrivilege	4540	powershell.exe
Token: SeRemoteShutdownPrivilege	4540	powershell.exe
Token: SeUndockPrivilege	4540	powershell.exe
Token: SeManageVolumePrivilege	4540	powershell.exe
Token: 33	4540	powershell.exe
Token: 34	4540	powershell.exe
Token: 35	4540	powershell.exe
Token: 36	4540	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 4540	3068	Factura0292091162024Urbia.pdf..exe	85
PID 3068 wrote to memory of 4540	3068	Factura0292091162024Urbia.pdf..exe	85
PID 3068 wrote to memory of 4540	3068	Factura0292091162024Urbia.pdf..exe	85
PID 4540 wrote to memory of 1856	4540	powershell.exe	98
PID 4540 wrote to memory of 1856	4540	powershell.exe	98
PID 4540 wrote to memory of 1856	4540	powershell.exe	98
PID 4540 wrote to memory of 1856	4540	powershell.exe	98

C:\Users\Admin\AppData\Local\Temp\Factura0292091162024Urbia.pdf..exe
"C:\Users\Admin\AppData\Local\Temp\Factura0292091162024Urbia.pdf..exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle 1 "$Eloxal=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\gangrenescent\stiltedness\Monotheistic154.Hva';$Begroans=$Eloxal.SubString(53213,3);.$Begroans($Eloxal)
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\Deliberalize.exe
    "C:\Users\Admin\AppData\Local\Temp\Deliberalize.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\opstalt.ini

Filesize
31B

MD5
81d8c2c8ad8f0fc0a7a2ab1adaab83dd

SHA1
9d039931626cf960391c728870c78477f3a05436

SHA256
bd9d5e85a1c13119bad506a2523c665d363465506e17aab92407d43eceb5d509

SHA512
cfef482bdd7b5a253ce68f61d5d69cb4fb96b8b8e5ff18355998aa8c9cda34f32431938a5bed76762ddc2b66413107976cd89ed82edfb40a06af2a9769d75f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deliberalize.exe

Filesize
809KB

MD5
53e2b2ad9748d98c82d9b894f0fa5bda

SHA1
6d5b7bc033210b438b98d26380746496e0f231e1

SHA256
bee9b9e032ae0f79187a3f2944efa649041840d519a668952a2c3e5b221a1915

SHA512
196b1903f8be2d250480e46af37ec5b57d46d331caa1569dd53aef4c6e0132f691f7a3cc73bd9e20b8b9009feb34dd71766ea242e38e34f6c74bba7602798146

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ktwtzqxb.l2u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gangrenescent\stiltedness\Monotheistic154.Hva

Filesize
52KB

MD5
319c227e068176aaecd7365843c8bf48

SHA1
079e87e0de433023e0031ba596036e69b7785fbd

SHA256
ccccc37ddb764f9ecaa067032f53db5ed67b0fff95985958a966100b97c0d583

SHA512
1d55477dfb7299aa68d06247f8f3a5d4e03fe7ec65c65feaef29ebc1d8d166da5f98643806e00f9724d6d4de7fd6ee538441233a6618e0345901c21d7d378f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\gangrenescent\stiltedness\Mosen.Inj

Filesize
209KB

MD5
6bd9744ccdc2903a209b59ca768464a3

SHA1
58d91f92058b42fd1c51458cda93c95a41d22379

SHA256
6c975a2eb34d5090f6351c4eb570b4994a8a30c1b73d28dbe47239c70dda74a6

SHA512
5ac75fd66e83c291bad105014d5256987de9c6e2d962d7d9e7c3522b9c6b399062c0a7db18afbda6de8a6eae1e203b567c707d8bd49996ba1961f47cfef2d166

Download Submit
memory/1856-195-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1856-196-0x0000000001660000-0x0000000002113000-memory.dmp

Filesize
10.7MB

Download
memory/1856-182-0x0000000001660000-0x0000000002113000-memory.dmp

Filesize
10.7MB

Download
memory/1856-181-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4540-150-0x0000000007450000-0x0000000007482000-memory.dmp

Filesize
200KB

Download
memory/4540-165-0x0000000007800000-0x000000000782A000-memory.dmp

Filesize
168KB

Download
memory/4540-141-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/4540-142-0x0000000006240000-0x000000000628C000-memory.dmp

Filesize
304KB

Download
memory/4540-143-0x00000000071E0000-0x0000000007276000-memory.dmp

Filesize
600KB

Download
memory/4540-145-0x0000000006780000-0x00000000067A2000-memory.dmp

Filesize
136KB

Download
memory/4540-144-0x0000000006730000-0x000000000674A000-memory.dmp

Filesize
104KB

Download
memory/4540-146-0x0000000007830000-0x0000000007DD4000-memory.dmp

Filesize
5.6MB

Download
memory/4540-127-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download
memory/4540-148-0x0000000008460000-0x0000000008ADA000-memory.dmp

Filesize
6.5MB

Download
memory/4540-151-0x000000006FA00000-0x000000006FA4C000-memory.dmp

Filesize
304KB

Download
memory/4540-152-0x000000006FB70000-0x000000006FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-162-0x0000000007690000-0x00000000076AE000-memory.dmp

Filesize
120KB

Download
memory/4540-129-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/4540-149-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-163-0x00000000076C0000-0x0000000007763000-memory.dmp

Filesize
652KB

Download
memory/4540-164-0x00000000077C0000-0x00000000077CA000-memory.dmp

Filesize
40KB

Download
memory/4540-140-0x0000000005BF0000-0x0000000005F44000-memory.dmp

Filesize
3.3MB

Download
memory/4540-166-0x0000000007F20000-0x0000000007F44000-memory.dmp

Filesize
144KB

Download
memory/4540-167-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-168-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-169-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-171-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-130-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/4540-173-0x000000007357E000-0x000000007357F000-memory.dmp

Filesize
4KB

Download
memory/4540-174-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-175-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-176-0x0000000008AE0000-0x0000000009593000-memory.dmp

Filesize
10.7MB

Download
memory/4540-177-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-178-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-128-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-126-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/4540-125-0x0000000005230000-0x0000000005858000-memory.dmp

Filesize
6.2MB

Download
memory/4540-124-0x0000000004BB0000-0x0000000004BE6000-memory.dmp

Filesize
216KB

Download
memory/4540-123-0x000000007357E000-0x000000007357F000-memory.dmp

Filesize
4KB

Download