Malware Analysis Report

2024-12-06 03:01

Sample ID 241115-sx11mavrgs
Target 2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
SHA256 2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47
Tags
guloader discovery downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47

Threat Level: Known bad

The file 2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe was found to be: Known bad.

Malicious Activity Summary

guloader discovery downloader

Guloader,Cloudeye

Guloader family

Checks QEMU agent file

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 15:31

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 15:31

Reported

2024-11-15 15:33

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe

"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"

C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe

"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsaA0C5.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

memory/2064-10-0x0000000004A10000-0x00000000058CE000-memory.dmp

memory/2064-11-0x0000000076F71000-0x0000000077091000-memory.dmp

memory/2064-12-0x0000000073DD5000-0x0000000073DD6000-memory.dmp

memory/2064-13-0x0000000004A10000-0x00000000058CE000-memory.dmp

memory/3228-14-0x0000000000450000-0x000000000130E000-memory.dmp

memory/3228-15-0x0000000076FF8000-0x0000000076FF9000-memory.dmp

memory/3228-16-0x0000000077015000-0x0000000077016000-memory.dmp

memory/3228-17-0x0000000000450000-0x000000000130E000-memory.dmp

memory/3228-18-0x00000000728D0000-0x0000000073B24000-memory.dmp

memory/3228-19-0x0000000076F71000-0x0000000077091000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 15:31

Reported

2024-11-15 15:33

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
PID 2704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
PID 2704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
PID 2704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
PID 2704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe
PID 2704 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe

"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"

C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe

"C:\Users\Admin\AppData\Local\Temp\2791f889590f7e4f9ba357857f6389d23a2dd2eeac00d04aef3893f8f0effe47.exe"

Network

Country Destination Domain Proto
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp

Files

\Users\Admin\AppData\Local\Temp\nsyE985.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

memory/2704-11-0x0000000003DD0000-0x0000000004C8E000-memory.dmp

memory/2704-12-0x0000000077281000-0x0000000077382000-memory.dmp

memory/2704-13-0x0000000077280000-0x0000000077429000-memory.dmp

memory/2592-15-0x0000000077280000-0x0000000077429000-memory.dmp

memory/2704-14-0x0000000003DD0000-0x0000000004C8E000-memory.dmp

memory/2592-16-0x0000000072800000-0x0000000073862000-memory.dmp

memory/2704-22-0x0000000003DD0000-0x0000000004C8E000-memory.dmp