guloader | 1e3400269bb6d96dd3029758c87bf265fc9b45eb91446da8eb1ee591a9bb2a7b

General

Target

Welfab%20Engineering%20Works%20Sdn%20Bhd%20%28605812-D%29.zip
Size

502KB
MD5

ce2ad77d561441eba07723e8b91fe46a
SHA1

615a8b0a351db8d1188c29fa84b7230baddd3646
SHA256

1e3400269bb6d96dd3029758c87bf265fc9b45eb91446da8eb1ee591a9bb2a7b
SHA512

0b969c161a943426de284605f78d8b5c7c32f6eeec318417397a30de761c0c9f5605a3151195bc10292dbe05febddf00e814e85952e6fb005cabd07f8c9b7f12
SSDEEP

12288:ga9wb2sRWwxk+bC5h3Im1BvtI3MJeTEbU+JN0:wxWwxFbm3ImdI36egbU+0

Score

10^/10

guloader discovery downloader persistence upx

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 1 IoCs

Processes:

Welfab Engineering Works Sdn Bhd (605812-D).exe

pid	Process
3152	Welfab Engineering Works Sdn Bhd (605812-D).exe

Loads dropped DLL 1 IoCs

Processes:

Welfab Engineering Works Sdn Bhd (605812-D).exe

pid	Process
3152	Welfab Engineering Works Sdn Bhd (605812-D).exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Penitencer = "C:\\Users\\Admin\\AppData\\Roaming\\fornemmers\\Aerie.exe"	msiexec.exe

Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exe

flow	pid	Process
24	3628	msiexec.exe
25	3628	msiexec.exe
28	3628	msiexec.exe
35	3628	msiexec.exe
43	3628	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
3628	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Welfab Engineering Works Sdn Bhd (605812-D).exemsiexec.exe

pid	Process
3152	Welfab Engineering Works Sdn Bhd (605812-D).exe
3628	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Welfab Engineering Works Sdn Bhd (605812-D).exe

description	pid	Process	procid_target
PID 3152 set thread context of 3628	3152	Welfab Engineering Works Sdn Bhd (605812-D).exe	100

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3628-306-0x0000000000400000-0x00000000005E4000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

Welfab Engineering Works Sdn Bhd (605812-D).exe

description	ioc	Process
File created	C:\Windows\fyldningsgrad.lnk	Welfab Engineering Works Sdn Bhd (605812-D).exe
File opened for modification	C:\Windows\fyldningsgrad.lnk	Welfab Engineering Works Sdn Bhd (605812-D).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Welfab Engineering Works Sdn Bhd (605812-D).exemsiexec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Welfab Engineering Works Sdn Bhd (605812-D).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7zFM.exe

pid	Process
4460	7zFM.exe
4460	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exemsiexec.exe

pid	Process
4460	7zFM.exe
3628	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Welfab Engineering Works Sdn Bhd (605812-D).exe

pid	Process
3152	Welfab Engineering Works Sdn Bhd (605812-D).exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	4460	7zFM.exe
Token: 35	4460	7zFM.exe
Token: SeSecurityPrivilege	4460	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid	Process
4460	7zFM.exe
4460	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msiexec.exe

pid	Process
3628	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7zFM.exeWelfab Engineering Works Sdn Bhd (605812-D).exe

description	pid	Process	procid_target
PID 4460 wrote to memory of 3152	4460	7zFM.exe	97
PID 4460 wrote to memory of 3152	4460	7zFM.exe	97
PID 4460 wrote to memory of 3152	4460	7zFM.exe	97
PID 3152 wrote to memory of 3628	3152	Welfab Engineering Works Sdn Bhd (605812-D).exe	100
PID 3152 wrote to memory of 3628	3152	Welfab Engineering Works Sdn Bhd (605812-D).exe	100
PID 3152 wrote to memory of 3628	3152	Welfab Engineering Works Sdn Bhd (605812-D).exe	100
PID 3152 wrote to memory of 3628	3152	Welfab Engineering Works Sdn Bhd (605812-D).exe	100
PID 3152 wrote to memory of 3628	3152	Welfab Engineering Works Sdn Bhd (605812-D).exe	100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Welfab%20Engineering%20Works%20Sdn%20Bhd%20%28605812-D%29.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\7zOC6145FD7\Welfab Engineering Works Sdn Bhd (605812-D).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6145FD7\Welfab Engineering Works Sdn Bhd (605812-D).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Users\Admin\AppData\Local\Temp\7zOC6145FD7\Welfab Engineering Works Sdn Bhd (605812-D).exe"
    3⤵
    - Adds Run key to start application
    - Blocklisted process makes network request
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC6145FD7\Welfab Engineering Works Sdn Bhd (605812-D).exe

Filesize
630KB

MD5
fe51edf89b75291eb2212ee1b79385c8

SHA1
68bb65df96a0ea2043887b18d38157ea3af20f56

SHA256
31e42571130cdbc3a883af73f33e55f039d7e128bca5c80460f7959a393dfdef

SHA512
c26a4d62d0a856d1dec861fa4159231b34e38ba4b6f3dfc08c427250ccc4ecab5c8cbe1b8b3b805c2881b4984ffb4e1e07d9a4e4604b7d0b8309265e4d3b192c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA181.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Windows\fyldningsgrad.lnk

Filesize
878B

MD5
216219cb074dcd9ffdd2882618df1f79

SHA1
0add9a275e7c7177e8a3fad6599fd37ff8d52f8d

SHA256
8acb010365ab19ce755b137f2b2081dc2592a5bef6e4bab98ecb41b11bc1bd34

SHA512
d2b6ce20cd061edd7dd85114761b777ddb18d872d90bab4d7f58d293458a3d448b70f198d67be08058120aa4dcc8e7dc6eb7dabb0624bc13a9a2721211ef05aa

Download Submit
memory/3152-299-0x0000000004A10000-0x0000000006549000-memory.dmp

Filesize
27.2MB

Download
memory/3152-300-0x0000000073AD5000-0x0000000073AD6000-memory.dmp

Filesize
4KB

Download
memory/3152-301-0x0000000004A10000-0x0000000006549000-memory.dmp

Filesize
27.2MB

Download
memory/3628-306-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads