guloader | e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe
Size

450KB
MD5

0be3f2cb6b42caa09085030ccf55be16
SHA1

fe6f62d6df037c7962d0a7d17fe41fd0178cbe5d
SHA256

e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125
SHA512

81feb54745c1fac28ade9aa8e676f8c54abf08c32802946b82c4471192ff0d3fb46283843986c6548a7a2d651c74525ab328133b623b9a8c8b5e3dec40c9bdab
SSDEEP

12288:aOLOS9sMkCNYzF9pEt5NjAcCep+nTDeqJ5:DOS9sMZ2zfpyIcDQH1J5

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe
1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe
216	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 216	1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe	84

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\cervuline\coinhered.ini	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 216	1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe	84
PID 1808 wrote to memory of 216	1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe	84
PID 1808 wrote to memory of 216	1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe	84
PID 1808 wrote to memory of 216	1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe	84
PID 1808 wrote to memory of 216	1808	e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe	84

C:\Users\Admin\AppData\Local\Temp\e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe
"C:\Users\Admin\AppData\Local\Temp\e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe
  "C:\Users\Admin\AppData\Local\Temp\e5dae822bb8f37e4acc5c45d07dcdbcb4259df72f762e21fe7369ab6a4c1a125.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa6D13.tmp\System.dll

Filesize
11KB

MD5
b853d5d2361ade731e33e882707efc34

SHA1
c58b1aeabdf1cbb8334ef8797e7aceaa7a1cb6be

SHA256
f0cd96e0b6e40f92ad1aa0efacde833bae807b92fca19bf062c1cf8acf29484b

SHA512
8ea31d82ffa6f58dab5632fe72690d3a6db0be65aec85fc8a1f71626773c0974dcebefae17bcf67c4c56ef442545e985eea0b348ff6e4fc36740640092b08d69

Download Submit
memory/216-20-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/216-21-0x0000000001660000-0x0000000003714000-memory.dmp

Filesize
32.7MB

Download
memory/216-28-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/216-29-0x0000000001660000-0x0000000003714000-memory.dmp

Filesize
32.7MB

Download
memory/216-30-0x0000000077381000-0x00000000774A1000-memory.dmp

Filesize
1.1MB

Download
memory/1808-15-0x00000000032A0000-0x0000000005354000-memory.dmp

Filesize
32.7MB

Download
memory/1808-16-0x0000000077381000-0x00000000774A1000-memory.dmp

Filesize
1.1MB

Download
memory/1808-17-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/1808-18-0x00000000032A0000-0x0000000005354000-memory.dmp

Filesize
32.7MB

Download
memory/1808-19-0x00000000032A0000-0x0000000005354000-memory.dmp

Filesize
32.7MB

Download