guloader | 7263a8930afb910d367c5e228694a8c291c8f797e87c082583bcb425fdc525c9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AWB.exe
Size

734KB
MD5

0c9009a01f16ae4f68f806f30fad5ed2
SHA1

c92ad48134ec43427462c3657cd229dd31e239df
SHA256

7263a8930afb910d367c5e228694a8c291c8f797e87c082583bcb425fdc525c9
SHA512

d894bb452e05548a757bfbd8ddc0c3b55686690923ca01c58e68d399afe88d5d013076fcf83fcb51483e887373ad5bc76671998b3b738cd01c5752511a10db63
SSDEEP

12288:EI0YglGokRtZYxDuT5+tofxytZ4FbVjLfWJRuDnEFGuAY2eAuVLZEqhaH/e5rS++:EI0blXUEx4+ptZ4/WJAgHA8AuVLZEkLm

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 7 IoCs

pid	Process
2784	AWB.exe
2784	AWB.exe
2784	AWB.exe
2784	AWB.exe
2784	AWB.exe
2784	AWB.exe
2784	AWB.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Eritas.fat	AWB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	2784	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AWB.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2768	2784	AWB.exe	30
PID 2784 wrote to memory of 2768	2784	AWB.exe	30
PID 2784 wrote to memory of 2768	2784	AWB.exe	30
PID 2784 wrote to memory of 2768	2784	AWB.exe	30

C:\Users\Admin\AppData\Local\Temp\AWB.exe
"C:\Users\Admin\AppData\Local\Temp\AWB.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 524
  2⤵
  - Program crash
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy7F2F.tmp\LangDLL.dll

Filesize
5KB

MD5
c5351b7c9aa48e9e7872288a3e7dd583

SHA1
69efcf341345625a4a855f03f2a9d9e8f50319b2

SHA256
982954ea90a10844bff23d595ac2449c6fae300aee2ab4c23077aac1197b7c2e

SHA512
6e655e02aa05bc52beec428686622c4c1c1ffc7e5aba0f6d429495cba29bee5733b26ac7aecbeaa9e525eae52706a2513035d17cc7b0ccbcf792c765c9427d7b

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7F2F.tmp\System.dll

Filesize
11KB

MD5
c61501f07cf09bcfcdfe4cc8a1ebbbe3

SHA1
e8581b4359651b857646ae727efaaef372daa0fc

SHA256
7e75f148920db6300dad5a1c12fd5d6eecc95698a310a01311181bc98a704d55

SHA512
9837abe7ec3fa0f1f5193968d12b7ca1893e34eddf628db1f7ab6715b4de339231f0ec1b5f0f86c767f5a30c40da5c4a95e99deedd22eece93cb0d00539aad24

Download Submit
memory/2784-36-0x00000000036A0000-0x00000000065CB000-memory.dmp

Filesize
47.2MB

Download
memory/2784-37-0x00000000036A0000-0x00000000065CB000-memory.dmp

Filesize
47.2MB

Download
memory/2784-38-0x00000000036A0000-0x00000000065CB000-memory.dmp

Filesize
47.2MB

Download