Malware Analysis Report

2024-12-06 03:03

Sample ID 241118-vn4q9s1gqn
Target Purchase Order Purchase Order Purchase Order Purchase Order.exe
SHA256 099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f
Tags
discovery guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f

Threat Level: Known bad

The file Purchase Order Purchase Order Purchase Order Purchase Order.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader

Guloader,Cloudeye

Guloader family

Loads dropped DLL

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 17:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 17:09

Reported

2024-11-18 17:11

Platform

win7-20241010-en

Max time kernel

10s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\nomarch\gratiales.ini C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
File opened for modification C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsyD431.tmp\System.dll

MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA512 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

C:\Windows\Fonts\Gullis.lnk

MD5 8f5e97bec31ba620de606572477e4fe4
SHA1 6bf85b18bae07ea01b7e86d920e7a79934f25dc9
SHA256 ae283a49666fda34720d04864335014f48053b67b9e6eb39b7907a865db3ac10
SHA512 352600d4e86338bfc06bb53d4b772b4a240f82c00fe3e2ad9063560165b8164de0c8a218fed8b740342f93c6e342d133ede6e20f435f8663f870f39bf3020e1d

memory/576-20-0x0000000002DE0000-0x0000000005CCA000-memory.dmp

memory/576-25-0x0000000002DE0000-0x0000000005CCA000-memory.dmp

memory/576-20-0x0000000002DE0000-0x0000000005CCA000-memory.dmp

memory/576-25-0x0000000002DE0000-0x0000000005CCA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 17:09

Reported

2024-11-18 17:11

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\nomarch\gratiales.ini C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
File opened for modification C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe"

C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order Purchase Order Purchase Order Purchase Order.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 185.222.57.90:80 185.222.57.90 tcp
US 8.8.8.8:53 90.57.222.185.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsaC5A3.tmp\System.dll

MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA512 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

C:\Windows\Fonts\Gullis.lnk

MD5 35651cf97ce055ea65e0ec1a8711413d
SHA1 5c34f2c941bb9b6643592a24de506e137ebc9d4f
SHA256 0efe40e0afa03c6f27ad41a7e9ef65e1f2427bb00bbeeba1b102155c860ca266
SHA512 76345a08660220396c59eaeb97a8d2c2f589aa9ccfeff31bde45f2e9f1b0e15018f7183e9c9eb3b8ba5a682bb2cd59f6a5ec3e38374bf85a4c68cfbc208f07e4

memory/5032-18-0x0000000002A80000-0x000000000596A000-memory.dmp

memory/5032-20-0x0000000076FE1000-0x0000000077101000-memory.dmp

memory/5032-19-0x0000000002A80000-0x000000000596A000-memory.dmp

memory/5032-21-0x0000000073CD4000-0x0000000073CD5000-memory.dmp

memory/5032-23-0x0000000002A80000-0x000000000596A000-memory.dmp

memory/784-22-0x0000000000400000-0x0000000001654000-memory.dmp

memory/784-24-0x0000000001660000-0x000000000454A000-memory.dmp

memory/784-25-0x0000000001660000-0x000000000454A000-memory.dmp

memory/784-26-0x0000000000400000-0x0000000001654000-memory.dmp

memory/784-27-0x0000000000400000-0x0000000001654000-memory.dmp

memory/784-28-0x0000000000400000-0x0000000001654000-memory.dmp

memory/784-29-0x0000000000400000-0x0000000001654000-memory.dmp

memory/784-32-0x0000000000400000-0x0000000001654000-memory.dmp

memory/784-33-0x0000000001660000-0x000000000454A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-18 17:09

Reported

2024-11-18 17:11

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-18 17:09

Reported

2024-11-18 17:11

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 4820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 4820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1724 wrote to memory of 4820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A