Overview

overview

10

Static

static

3

FACTURAS P... 1.exe

windows7-x64

7

FACTURAS P... 1.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    10-01-2025 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FACTURAS PENDIENTES VAYPER AUTOMOCION 1.exe

  • Size

    521KB

  • MD5

    4f2c796aebd02a54ca9bebb0c5bc5ef0

  • SHA1

    558e2f3de9077aaf9159c4fb1633d66c75b14dda

  • SHA256

    c2f619460d6cd63ca1ae9b9abec61842fa05f09c0698fc4c400ccd5342109692

  • SHA512

    8eb1daf79455c75dba4521196c8ef468184f1a0d2c385bd424c4ce82174fe8c2970a47d72fc7d83c444629a236e373a70fb1d3cee236cfff246dba4b8ceb48c7

  • SSDEEP

    12288:rRfrRAA+3hDCYCCslgEzlaGuZHStFIH/x5eWJe5:dfNAAmhBCCsRzeRCFoewe5

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 6 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES VAYPER AUTOMOCION 1.exe
    "C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES VAYPER AUTOMOCION 1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES VAYPER AUTOMOCION 1.exe
      "C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES VAYPER AUTOMOCION 1.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    e459f344b4a47af2cf15d821f3946724

    SHA1

    5df805fcf0a857b98cecca139b2ea99979c8f01e

    SHA256

    f4778b8aca1eb5d93d267468589b4bf45b827a50300eb552d796e9dc22ade419

    SHA512

    5b8285a166404c73869d5aaa25c5af3544ab4a2f012c5ea1e12b04a1d6fa3d32b4a6857e9fd29dd3c86dd5dc8111e3e86de11bdb5496c1c527ff1bc91bd791bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8DF9.tmp\System.dll
    Filesize

    12KB

    MD5

    637e1fa13012a78922b6e98efc0b12e2

    SHA1

    8012d44e42cd6d813ea63d5ccbf190fe72e3c778

    SHA256

    703e17d30a91775f8ddc2648b537fc846fad6415589a503a4529c36f60a17439

    SHA512

    932ed6a52e89c4fa587a7c0c3903d69cf89a32dbd46ed8dcb251abb6c15192d92b1f624c31f0e4bd3e9bf95fc1a55fdb7cee9dd668e1b4f22ddb95786c063e96

    Download Submit

  • memory/2052-37-0x00000000775E1000-0x0000000077701000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2052-33-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2052-43-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2052-42-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2052-28-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2052-29-0x0000000001660000-0x00000000021F8000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2052-30-0x0000000077668000-0x0000000077669000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-31-0x0000000077685000-0x0000000077686000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-32-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2052-39-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2052-34-0x0000000001660000-0x00000000021F8000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2052-35-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2052-36-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2052-38-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4684-24-0x0000000004A30000-0x00000000055C8000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/4684-25-0x00000000775E1000-0x0000000077701000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4684-27-0x0000000004A30000-0x00000000055C8000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/4684-26-0x0000000074445000-0x0000000074446000-memory.dmp

    Filesize

    4KB

    Download