Malware Analysis Report

2024-12-06 03:03

Sample ID 241118-vq45ta1kgw
Target PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe
SHA256 099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f
Tags
discovery guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f

Threat Level: Known bad

The file PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader

Guloader,Cloudeye

Guloader family

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 17:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 17:12

Reported

2024-11-18 17:15

Platform

win7-20240903-en

Max time kernel

30s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\nomarch\gratiales.ini C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A
File opened for modification C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe

"C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nse1141.tmp\System.dll

MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA512 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

C:\Windows\Fonts\Gullis.lnk

MD5 46dfdeb66e419a0dadce6117a43e8d71
SHA1 bb2e74810ba5117e55dfef3ed8eaeb0366b32152
SHA256 0f2c1b85ba39e4beaf93322361eee92411210d8a4dfc87140b58f36abb13c191
SHA512 c3d87212a00cf831d3c75bd2f44f8dd757f2d227c96179e20c67bf482e4779c7c7e33632c0668d75c75697a22250794a7f0c21b30aa790de5925072738424e19

memory/2364-20-0x0000000002EC0000-0x0000000005DAA000-memory.dmp

memory/2364-25-0x0000000002EC0000-0x0000000005DAA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 17:12

Reported

2024-11-18 17:15

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\nomarch\gratiales.ini C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A
File opened for modification C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe

"C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe"

C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe

"C:\Users\Admin\AppData\Local\Temp\PurchaseOrderPurchaseOrderPurchaseOrderPurchaseOrder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 185.222.57.90:80 185.222.57.90 tcp
US 8.8.8.8:53 90.57.222.185.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse833B.tmp\System.dll

MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA512 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

C:\Windows\Fonts\Gullis.lnk

MD5 d36ce364bacbd8a6097f8aaefdc5fc5a
SHA1 5b3a2755ebe88f1d3bce794bf8b0b14ecda883dc
SHA256 59e2f80eab00502504a41a919b0198beae9c0f24b57fa2ab5b2781dba649a7ff
SHA512 973084f19e3b72fc649b0e0c471a4e1fc93f9166f09850c975ecef232f7d7a54653d5c3faf5de888ce2a4c61c867f6b8c91ffef2a6d0f6e8a883e9b1a4a89323

memory/4032-18-0x0000000002AC0000-0x00000000059AA000-memory.dmp

memory/4032-19-0x0000000002AC0000-0x00000000059AA000-memory.dmp

memory/4032-20-0x0000000077981000-0x0000000077AA1000-memory.dmp

memory/4032-21-0x0000000074674000-0x0000000074675000-memory.dmp

memory/4680-22-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4032-23-0x0000000002AC0000-0x00000000059AA000-memory.dmp

memory/4680-24-0x0000000001660000-0x000000000454A000-memory.dmp

memory/4680-25-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4680-26-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4680-27-0x0000000001660000-0x000000000454A000-memory.dmp

memory/4680-28-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4680-29-0x0000000000400000-0x0000000001654000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-18 17:12

Reported

2024-11-18 17:15

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-18 17:12

Reported

2024-11-18 17:15

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3184 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3184 wrote to memory of 3836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3836 -ip 3836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp

Files

N/A