guloader | 7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d

General

Target

7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe
Size

957KB
MD5

ee6365fdf115ff94b4e9198af755b9d0
SHA1

22cc84f737d62b95ce0fc4e41a8847fb0ee1937f
SHA256

7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d
SHA512

680afd4223d04295cdb9bbe6b6775e35f0b70b509c4102fa4d8e9cccf911732ab6ea8fee7864ef65beb6795a3c4e303773485d92b3334101c0e5dc53eb443118
SSDEEP

24576:FerYnK4TwIld1V20+FDbzUNSrmbS1m65cAo9wGniPvPEx8UiFV:FerYnKRIlHV20+FDbz7rmbS1mjBavch6

Score

10^/10

guloader discovery downloader persistence

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
2820	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Pauperism = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Logerede\\Kvlertagene.exe"	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2820	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe
4840	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023c8a-23.dat	nsis_installer_1
behavioral2/files/0x0007000000023c8a-23.dat	nsis_installer_2

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2820	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4840	2820	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe	91
PID 2820 wrote to memory of 4840	2820	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe	91
PID 2820 wrote to memory of 4840	2820	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe	91
PID 2820 wrote to memory of 4840	2820	7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe	91

C:\Users\Admin\AppData\Local\Temp\7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe
"C:\Users\Admin\AppData\Local\Temp\7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe
  "C:\Users\Admin\AppData\Local\Temp\7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Logerede\Kvlertagene.exe

Filesize
957KB

MD5
ee6365fdf115ff94b4e9198af755b9d0

SHA1
22cc84f737d62b95ce0fc4e41a8847fb0ee1937f

SHA256
7ad9417654278969ee57fa1829efbeed2e838c23af4dffb9a947a9cf9a028d0d

SHA512
680afd4223d04295cdb9bbe6b6775e35f0b70b509c4102fa4d8e9cccf911732ab6ea8fee7864ef65beb6795a3c4e303773485d92b3334101c0e5dc53eb443118

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3A7.tmp\System.dll

Filesize
12KB

MD5
dd87a973e01c5d9f8e0fcc81a0af7c7a

SHA1
c9206ced48d1e5bc648b1d0f54cccc18bf643a14

SHA256
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

SHA512
4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

Download Submit
memory/2820-15-0x0000000004A30000-0x000000000576E000-memory.dmp

Filesize
13.2MB

Download
memory/2820-16-0x0000000076EB1000-0x0000000076FD1000-memory.dmp

Filesize
1.1MB

Download
memory/2820-17-0x0000000073D15000-0x0000000073D16000-memory.dmp

Filesize
4KB

Download
memory/2820-19-0x0000000004A30000-0x000000000576E000-memory.dmp

Filesize
13.2MB

Download
memory/4840-20-0x0000000001710000-0x000000000244E000-memory.dmp

Filesize
13.2MB

Download
memory/4840-21-0x0000000076F38000-0x0000000076F39000-memory.dmp

Filesize
4KB

Download
memory/4840-22-0x0000000076EB1000-0x0000000076FD1000-memory.dmp

Filesize
1.1MB

Download
memory/4840-25-0x0000000001710000-0x000000000244E000-memory.dmp

Filesize
13.2MB

Download
memory/4840-26-0x00000000004B0000-0x0000000001704000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads