Overview

overview

10

Static

static

3

Original c...cs.exe

windows7-x64

10

Original c...cs.exe

windows10-2004-x64

10

pic05678063.exe

windows7-x64

10

pic05678063.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Original copies of shipment docs.exe

  • Size

    92KB

  • MD5

    8b96af7d76b487cea6aa04f565b8cb9f

  • SHA1

    3e904fec3e82c9f01ccc64fbdcde35d306c6147f

  • SHA256

    49559dd2c1d9b0841f3384f3080013f8d644760d45ab7cd4fb4928bb2b91f354

  • SHA512

    786140d030095ce5c0865c21e049c8572e3ee5ec78eadebb15611a4b0f59bac995a306f14e85cd30506cd7661819d3d6a3fe43e4ac714fceb9e0c0991f171790

  • SSDEEP

    768:DUN8RIPdfSAxqFpdyNmqsNjl+mF2AdJVmyzXUsRVVWmZjrFLaH/hQ:ANJEjd+bAlJFvNzksRCQjhGK

Score
10/10
guloaderdiscoverydownloader

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1eS7ZjBeF8dblWu1ZZ1U1CF4vescWndHE

xor.base64

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Original copies of shipment docs.exe
    "C:\Users\Admin\AppData\Local\Temp\Original copies of shipment docs.exe"
    1⤵
    • Checks QEMU agent file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3384
    • C:\Users\Admin\AppData\Local\Temp\Original copies of shipment docs.exe
      "C:\Users\Admin\AppData\Local\Temp\Original copies of shipment docs.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:1896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1896-5-0x0000000000400000-0x000000000055D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1896-9-0x0000000077081000-0x00000000771A1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1896-8-0x0000000000560000-0x0000000000660000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1896-19-0x0000000000560000-0x0000000000660000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1896-20-0x0000000000400000-0x000000000055D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3384-2-0x00000000022B0000-0x00000000022BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3384-3-0x0000000077081000-0x00000000771A1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3384-4-0x0000000077081000-0x00000000771A1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3384-7-0x00000000022B0000-0x00000000022BC000-memory.dmp

    Filesize

    48KB

    Download