guloader | a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe
Size

624KB
MD5

f08d6545c74d5a429d8225885b81f55a
SHA1

f95b76f2d791105cd9c942c704fbf223d27892ad
SHA256

a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a
SHA512

325f87497a9994b4213eb14bde7e62aa586644a6eba0ef3323a095e4f1d4f43547e6f1363079df165a2c2ec39853ce22d4617eaa05676bd61ec745d852e92fc6
SSDEEP

12288:B/tGh4HqBbV0/tQv6o1xMKZoRmpfSJ9OI1rbIAPxEq:BQhW9/66mMK2kpaJdbpPxX

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4348	powershell.exe

Blocklisted process makes network request 9 IoCs

flow	pid	Process
21	3296	msiexec.exe
34	3296	msiexec.exe
35	3296	msiexec.exe
39	3296	msiexec.exe
40	3296	msiexec.exe
44	3296	msiexec.exe
45	3296	msiexec.exe
46	3296	msiexec.exe
47	3296	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4348	powershell.exe
3296	msiexec.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\solubilizes.ded	a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4348	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	4348	powershell.exe
Token: SeSecurityPrivilege	4348	powershell.exe
Token: SeTakeOwnershipPrivilege	4348	powershell.exe
Token: SeLoadDriverPrivilege	4348	powershell.exe
Token: SeSystemProfilePrivilege	4348	powershell.exe
Token: SeSystemtimePrivilege	4348	powershell.exe
Token: SeProfSingleProcessPrivilege	4348	powershell.exe
Token: SeIncBasePriorityPrivilege	4348	powershell.exe
Token: SeCreatePagefilePrivilege	4348	powershell.exe
Token: SeBackupPrivilege	4348	powershell.exe
Token: SeRestorePrivilege	4348	powershell.exe
Token: SeShutdownPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeSystemEnvironmentPrivilege	4348	powershell.exe
Token: SeRemoteShutdownPrivilege	4348	powershell.exe
Token: SeUndockPrivilege	4348	powershell.exe
Token: SeManageVolumePrivilege	4348	powershell.exe
Token: 33	4348	powershell.exe
Token: 34	4348	powershell.exe
Token: 35	4348	powershell.exe
Token: 36	4348	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4348	2088	a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe	83
PID 2088 wrote to memory of 4348	2088	a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe	83
PID 2088 wrote to memory of 4348	2088	a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe	83
PID 4348 wrote to memory of 3296	4348	powershell.exe	94
PID 4348 wrote to memory of 3296	4348	powershell.exe	94
PID 4348 wrote to memory of 3296	4348	powershell.exe	94
PID 4348 wrote to memory of 3296	4348	powershell.exe	94

C:\Users\Admin\AppData\Local\Temp\a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe
"C:\Users\Admin\AppData\Local\Temp\a3c3fcc02a6ad19d388304f15f2b9661f46a24c2151e9e725db514e8a69c8f6a.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Phthalic=Get-Content -raw 'C:\Users\Admin\AppData\Local\dockers\fabriksguvlet\Crystalizer.Syn';$Medialises=$Phthalic.SubString(54841,3);.$Medialises($Phthalic)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkcsfigo.00a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\dockers\fabriksguvlet\Crystalizer.Syn

Filesize
53KB

MD5
b6a2296e8b10cd624e538e4d115344d2

SHA1
a121b8415406491326ff8a15af93fc8b6c1657d9

SHA256
13b35482d6f13a556d05c3eb00235ccc32138ae94f7d3fe3917081c35adc7925

SHA512
ad216d5308e80a366f6c28ec7a676b187971199c4d8c15b1b7511528c78768d588fb445f86ea2520e930f018bb9b51153b2bd9f39951ff04118e2e68e8634815

Download Submit
C:\Users\Admin\AppData\Local\dockers\fabriksguvlet\Isbrydende.afr

Filesize
286KB

MD5
a1b94b654c739e207a77ad8005c85af0

SHA1
45f0f0c78c1311168d0d76f182170c910ff1370c

SHA256
1e32700523bba02e59560527d35c63d8abd04418a9434f5fbc5dd51e5dee3144

SHA512
3705019ec49cee8b68ef9535ee4290c00045a57a0da172e473fce805f4b1f016d063d4b6bd2ff58cf4b57d25b82530a623376069a4f34d9823f76ed1971202ef

Download Submit
memory/3296-73-0x0000000001DE0000-0x0000000002FFC000-memory.dmp

Filesize
18.1MB

Download
memory/3296-72-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3296-71-0x0000000001DE0000-0x0000000002FFC000-memory.dmp

Filesize
18.1MB

Download
memory/4348-30-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

Filesize
304KB

Download
memory/4348-53-0x0000000007160000-0x000000000716A000-memory.dmp

Filesize
40KB

Download
memory/4348-17-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/4348-28-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/4348-29-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

Filesize
120KB

Download
memory/4348-11-0x000000007346E000-0x000000007346F000-memory.dmp

Filesize
4KB

Download
memory/4348-31-0x0000000006120000-0x00000000061B6000-memory.dmp

Filesize
600KB

Download
memory/4348-32-0x00000000060E0000-0x00000000060FA000-memory.dmp

Filesize
104KB

Download
memory/4348-33-0x0000000006B70000-0x0000000006B92000-memory.dmp

Filesize
136KB

Download
memory/4348-34-0x0000000007200000-0x00000000077A4000-memory.dmp

Filesize
5.6MB

Download
memory/4348-16-0x0000000004B50000-0x0000000004B72000-memory.dmp

Filesize
136KB

Download
memory/4348-36-0x0000000007E30000-0x00000000084AA000-memory.dmp

Filesize
6.5MB

Download
memory/4348-39-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-38-0x000000006F8E0000-0x000000006F92C000-memory.dmp

Filesize
304KB

Download
memory/4348-37-0x0000000006FF0000-0x0000000007022000-memory.dmp

Filesize
200KB

Download
memory/4348-40-0x000000006FA40000-0x000000006FD94000-memory.dmp

Filesize
3.3MB

Download
memory/4348-50-0x0000000007030000-0x000000000704E000-memory.dmp

Filesize
120KB

Download
memory/4348-51-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-52-0x0000000007060000-0x0000000007103000-memory.dmp

Filesize
652KB

Download
memory/4348-18-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/4348-54-0x00000000071A0000-0x00000000071CA000-memory.dmp

Filesize
168KB

Download
memory/4348-55-0x00000000071D0000-0x00000000071F4000-memory.dmp

Filesize
144KB

Download
memory/4348-56-0x000000007346E000-0x000000007346F000-memory.dmp

Filesize
4KB

Download
memory/4348-57-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-58-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-60-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-61-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-15-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-63-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-65-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-64-0x00000000084B0000-0x00000000096CC000-memory.dmp

Filesize
18.1MB

Download
memory/4348-66-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-67-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-69-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-70-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-13-0x0000000073460000-0x0000000073C10000-memory.dmp

Filesize
7.7MB

Download
memory/4348-14-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/4348-12-0x00000000021E0000-0x0000000002216000-memory.dmp

Filesize
216KB

Download