guloader | e8384166957076efd104eaf0443b1cda502c5d6e3bdc3f0ea4764b5adb77ee16

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pic05678063.exe
Size

92KB
MD5

22b022a5547dbc1c9bcfb8e4d7eb440f
SHA1

952b628cb42495baf73c468d509f249d55aa7966
SHA256

c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414
SHA512

c1a8f88047f91c4ad9b0e916d17f2c32c3fa080208d1eb77cab0ce57bb8594337d324bf99275bca1c5eb89d5dcf5898ccefa9de83efbe9a3beb2369ac6355c76
SSDEEP

1536:RHR4uv4MRD+wmxH+2POAGcS5g0nhS61D4B:9ym+dRnC5g0ns61kB

Score

10^/10

guloader discovery downloader

Malware Config

Extracted

Family

guloader

https://drive.google.com/uc?export=download&id=1xAtgeY-y0Ovf41LpAmat5XPeHwnWyI0P

xor.base64

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pic05678063.exepic05678063.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	pic05678063.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	pic05678063.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

pic05678063.exepic05678063.exe

pid process

2412 pic05678063.exe
844 pic05678063.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pic05678063.exe

description pid process target process

PID 2412 set thread context of 844 2412 pic05678063.exe pic05678063.exe

flow	ioc
3	drive.google.com
5	drive.google.com

pid	process
2412	pic05678063.exe
844	pic05678063.exe

description	pid	process	target process
PID 2412 set thread context of 844	2412	pic05678063.exe	pic05678063.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pic05678063.exepic05678063.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pic05678063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pic05678063.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pic05678063.exe

pid process

2412 pic05678063.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

pic05678063.exe

pid process

2412 pic05678063.exe

pid	process
2412	pic05678063.exe

pid	process
2412	pic05678063.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

pic05678063.exe

description	pid	process	target process
PID 2412 wrote to memory of 844	2412	pic05678063.exe	pic05678063.exe
PID 2412 wrote to memory of 844	2412	pic05678063.exe	pic05678063.exe
PID 2412 wrote to memory of 844	2412	pic05678063.exe	pic05678063.exe
PID 2412 wrote to memory of 844	2412	pic05678063.exe	pic05678063.exe
PID 2412 wrote to memory of 844	2412	pic05678063.exe	pic05678063.exe

C:\Users\Admin\AppData\Local\Temp\pic05678063.exe
"C:\Users\Admin\AppData\Local\Temp\pic05678063.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\pic05678063.exe
  "C:\Users\Admin\AppData\Local\Temp\pic05678063.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-9-0x00000000779B0000-0x0000000077B59000-memory.dmp

Filesize
1.7MB

Download
memory/844-6-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/844-10-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/844-27-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2412-2-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/2412-3-0x00000000779B1000-0x0000000077AB2000-memory.dmp

Filesize
1.0MB

Download
memory/2412-4-0x00000000779B0000-0x0000000077B59000-memory.dmp

Filesize
1.7MB

Download
memory/2412-5-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/2412-8-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download