Overview

overview

10

Static

static

3

documentac...43.exe

windows7-x64

10

documentac...43.exe

windows10-2004-x64

10

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2025 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documentacin2343343.exe

  • Size

    622KB

  • MD5

    ff0fdae83407b8ff69f9c665bab0d7d4

  • SHA1

    a6f10986b185a604dd458b9f535a01e3d325bcc2

  • SHA256

    0e3390f3f7bd283296ca3ee73ba5d9cb76d5132ed7d7c17e97789478a8a2f27b

  • SHA512

    72037c874b127b7eeb54594381041fb540185900ab5b937088741ee24750d4fcce7f8df31f753462a302b278ce0799f8c9d22bd315422cb633debc849f800615

  • SSDEEP

    6144:EMfH1u0K3oXxwoNkz0/KIoGCOGnghGX6uR3RAIGU64AYMAZr46rflS3ruftqQeEa:Zhqqxf4VI1pfuqUqYMAxlpKvQeD7+e

Score
10/10
guloaderdiscoverydownloader

Malware Config

Signatures

  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Downloads MZ/PE file 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\documentacin2343343.exe
    "C:\Users\Admin\AppData\Local\Temp\documentacin2343343.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Users\Admin\AppData\Local\Temp\documentacin2343343.exe
      "C:\Users\Admin\AppData\Local\Temp\documentacin2343343.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2296
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDEzM0ZEQUYtNDgyOS00ODQ5LUEwM0ItMDBFQ0U3MzhBNTE0fSIgdXNlcmlkPSJ7RTYwQjQ0OTEtMEU3NC00MTQxLUIzMDQtM0M0MTRBOEVBNDc2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjFCMTZCNkMtMzZDMC00RkJDLTlGOTUtQTM4RkNFRjgwMjdFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzkwMzI4NDA2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nswD766.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    7af1e33d85459fbd2cf7ef29d7528e9e

    SHA1

    8a90d81eeabd6886e5b5985d3d10e3f435ccf00d

    SHA256

    958b118ec87610f25232eb6257168bdbbf210cf2511bf38fb54bf4ffc908abb2

    SHA512

    1aa61538a5fec5bb27dca4305f4b856446e032321f55f26c5e949bb125220a4c319c51c2050697cda6c39ba784eaf2f041ee742f57d3e2e8a6e9f6ec96007145

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nswD766.tmp\System.dll
    Filesize

    11KB

    MD5

    375e8a08471dc6f85f3828488b1147b3

    SHA1

    1941484ac710fc301a7d31d6f1345e32a21546af

    SHA256

    4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

    SHA512

    5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

    Download Submit

  • memory/2296-66-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2296-62-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2296-75-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2296-76-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2296-45-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2296-46-0x0000000001660000-0x0000000002201000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2296-47-0x0000000077B18000-0x0000000077B19000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2296-48-0x0000000077B35000-0x0000000077B36000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2296-61-0x0000000001660000-0x0000000002201000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2296-70-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2296-64-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2296-63-0x0000000001660000-0x0000000002201000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2296-65-0x0000000077A91000-0x0000000077BB1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2296-69-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2296-67-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2296-68-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3688-40-0x00000000049C0000-0x0000000005561000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/3688-41-0x0000000077A91000-0x0000000077BB1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3688-44-0x00000000049C0000-0x0000000005561000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/3688-42-0x0000000010004000-0x0000000010005000-memory.dmp

    Filesize

    4KB

    Download