Analysis Overview
SHA256
2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47
Threat Level: Known bad
The file 2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
Guloader family
Checks QEMU agent file
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 15:31
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 15:31
Reported
2024-11-15 15:33
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2064 set thread context of 3228 | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"
C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 172.93.187.72:80 | tcp | |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 172.93.187.72:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsaA0C5.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
memory/2064-10-0x0000000004A10000-0x00000000058CE000-memory.dmp
memory/2064-11-0x0000000076F71000-0x0000000077091000-memory.dmp
memory/2064-12-0x0000000073DD5000-0x0000000073DD6000-memory.dmp
memory/2064-13-0x0000000004A10000-0x00000000058CE000-memory.dmp
memory/3228-14-0x0000000000450000-0x000000000130E000-memory.dmp
memory/3228-15-0x0000000076FF8000-0x0000000076FF9000-memory.dmp
memory/3228-16-0x0000000077015000-0x0000000077016000-memory.dmp
memory/3228-17-0x0000000000450000-0x000000000130E000-memory.dmp
memory/3228-18-0x00000000728D0000-0x0000000073B24000-memory.dmp
memory/3228-19-0x0000000076F71000-0x0000000077091000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 15:31
Reported
2024-11-15 15:33
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Guloader family
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2704 set thread context of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"
C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"
Network
| Country | Destination | Domain | Proto |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsyE985.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
memory/2704-11-0x0000000003DD0000-0x0000000004C8E000-memory.dmp
memory/2704-12-0x0000000077281000-0x0000000077382000-memory.dmp
memory/2704-13-0x0000000077280000-0x0000000077429000-memory.dmp
memory/2592-15-0x0000000077280000-0x0000000077429000-memory.dmp
memory/2704-14-0x0000000003DD0000-0x0000000004C8E000-memory.dmp
memory/2592-16-0x0000000072800000-0x0000000073862000-memory.dmp
memory/2704-22-0x0000000003DD0000-0x0000000004C8E000-memory.dmp