Malware Analysis Report

2024-12-06 03:10

Sample ID 241120-b3bjgsybjm
Target b9a03fb0c2c7f23a1e4ccb0d79c5053c.bin
SHA256 412b53f3b10d66cc46c74efda60750eda34c55a5c0866253e15910909142ea34
Tags
discovery guloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

412b53f3b10d66cc46c74efda60750eda34c55a5c0866253e15910909142ea34

Threat Level: Known bad

The file b9a03fb0c2c7f23a1e4ccb0d79c5053c.bin was found to be: Known bad.

Malicious Activity Summary

discovery guloader downloader

Guloader family

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 01:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 01:39

Reported

2024-11-20 01:42

Platform

win7-20240708-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\nomarch\gratiales.ini C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A
File opened for modification C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A
File created C:\Windows\Fonts\Iskagerne227.lnk C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe

"C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nseF317.tmp\System.dll

MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA512 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

C:\Windows\Fonts\Gullis.lnk

MD5 5ea93714a8aea2e6f10752bedfc9920d
SHA1 b13047ed7e58f80be1b681071122f30849af849f
SHA256 d0714f2d884fbc7f4a0d65dc36fbb069fe1213635ff6055c097a53757bf5c12b
SHA512 fff4c5b43e0c02e16869747a03232b7d35e216bc52ccc4c03b1a5fc09e5ad794dc21c979c895d36c07abbb9e8e95d8ea8bb2dd03f7beb4ebf20d3e4085d663fb

memory/1904-20-0x0000000002D70000-0x0000000005C5A000-memory.dmp

memory/1904-21-0x0000000002D70000-0x0000000005C5A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 01:39

Reported

2024-11-20 01:42

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe"

Signatures

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\nomarch\gratiales.ini C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A
File opened for modification C:\Windows\Fonts\Gullis.lnk C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe

"C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe"

C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe

"C:\Users\Admin\AppData\Local\Temp\099369eb025c3e23b6669c872ac2572e7bc4ba9200eb4d6318284983ddb78e3f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 185.222.57.90:80 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
NL 185.222.57.90:80 tcp
NL 185.222.57.90:80 tcp
NL 185.222.57.90:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 185.222.57.90:80 tcp
NL 185.222.57.90:80 tcp
NL 185.222.57.90:80 tcp
NL 185.222.57.90:80 tcp
NL 185.222.57.90:80 tcp
NL 185.222.57.90:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsa884B.tmp\System.dll

MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA512 58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

C:\Windows\Fonts\Gullis.lnk

MD5 ee0b9434686409392ffd83025c921ede
SHA1 903619da806ea5057ad4d4433686d48f6cc374a9
SHA256 7acb67f2e929fbf10b6d346f36a5fc59e22744223db5443376dcd39e67db075c
SHA512 211a38c91c730c47e60e76263e74c2a54e5ef54fa1eef020bd4cd0598afe4cdca62dafa1a368cf4ec7c5e54c6561237912fd853a4e92c96d8698a12c14a4dd1b

memory/3376-18-0x0000000002AC0000-0x00000000059AA000-memory.dmp

memory/3376-20-0x0000000077A11000-0x0000000077B31000-memory.dmp

memory/3376-19-0x0000000002AC0000-0x00000000059AA000-memory.dmp

memory/3376-21-0x0000000074704000-0x0000000074705000-memory.dmp

memory/3376-23-0x0000000002AC0000-0x00000000059AA000-memory.dmp

memory/4804-22-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4804-24-0x0000000001660000-0x000000000454A000-memory.dmp

memory/4804-25-0x0000000000400000-0x0000000001654000-memory.dmp

memory/4804-26-0x0000000001660000-0x000000000454A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-20 01:39

Reported

2024-11-20 01:42

Platform

win7-20241010-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 220

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-20 01:39

Reported

2024-11-20 01:42

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 4556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 4556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4660 wrote to memory of 4556 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A