guloader | 0e3390f3f7bd283296ca3ee73ba5d9cb76d5132ed7d7c17e97789478a8a2f27b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
13-02-2025 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documentacin2343343.exe
Size

622KB
MD5

ff0fdae83407b8ff69f9c665bab0d7d4
SHA1

a6f10986b185a604dd458b9f535a01e3d325bcc2
SHA256

0e3390f3f7bd283296ca3ee73ba5d9cb76d5132ed7d7c17e97789478a8a2f27b
SHA512

72037c874b127b7eeb54594381041fb540185900ab5b937088741ee24750d4fcce7f8df31f753462a302b278ce0799f8c9d22bd315422cb633debc849f800615
SSDEEP

6144:EMfH1u0K3oXxwoNkz0/KIoGCOGnghGX6uR3RAIGU64AYMAZr46rflS3ruftqQeEa:Zhqqxf4VI1pfuqUqYMAxlpKvQeD7+e

Score

10^/10

guloader discovery downloader

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 6 IoCs

pid	Process
2480	documentacin2343343.exe
2480	documentacin2343343.exe
2480	documentacin2343343.exe
2480	documentacin2343343.exe
2480	documentacin2343343.exe
2480	documentacin2343343.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2480	documentacin2343343.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\oxyrhynchus\statiscope.ini	documentacin2343343.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2920	2568	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	documentacin2343343.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	documentacin2343343.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2480	documentacin2343343.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2568	2480	documentacin2343343.exe	30
PID 2480 wrote to memory of 2568	2480	documentacin2343343.exe	30
PID 2480 wrote to memory of 2568	2480	documentacin2343343.exe	30
PID 2480 wrote to memory of 2568	2480	documentacin2343343.exe	30
PID 2480 wrote to memory of 2568	2480	documentacin2343343.exe	30
PID 2568 wrote to memory of 2920	2568	documentacin2343343.exe	32
PID 2568 wrote to memory of 2920	2568	documentacin2343343.exe	32
PID 2568 wrote to memory of 2920	2568	documentacin2343343.exe	32
PID 2568 wrote to memory of 2920	2568	documentacin2343343.exe	32

C:\Users\Admin\AppData\Local\Temp\documentacin2343343.exe
"C:\Users\Admin\AppData\Local\Temp\documentacin2343343.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\documentacin2343343.exe
  "C:\Users\Admin\AppData\Local\Temp\documentacin2343343.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 104
    3⤵
    - Program crash
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdB8E5.tmp\LangDLL.dll

Filesize
5KB

MD5
7af1e33d85459fbd2cf7ef29d7528e9e

SHA1
8a90d81eeabd6886e5b5985d3d10e3f435ccf00d

SHA256
958b118ec87610f25232eb6257168bdbbf210cf2511bf38fb54bf4ffc908abb2

SHA512
1aa61538a5fec5bb27dca4305f4b856446e032321f55f26c5e949bb125220a4c319c51c2050697cda6c39ba784eaf2f041ee742f57d3e2e8a6e9f6ec96007145

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB8E5.tmp\System.dll

Filesize
11KB

MD5
375e8a08471dc6f85f3828488b1147b3

SHA1
1941484ac710fc301a7d31d6f1345e32a21546af

SHA256
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

SHA512
5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

Download Submit
memory/2480-38-0x0000000003F00000-0x0000000004AA1000-memory.dmp

Filesize
11.6MB

Download
memory/2480-39-0x0000000077881000-0x0000000077982000-memory.dmp

Filesize
1.0MB

Download
memory/2480-40-0x0000000077880000-0x0000000077A29000-memory.dmp

Filesize
1.7MB

Download
memory/2568-41-0x0000000001470000-0x0000000002011000-memory.dmp

Filesize
11.6MB

Download
memory/2568-42-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2568-44-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download