Overview

overview

10

Static

static

3

1f29944c74...ae.exe

windows7-x64

10

1f29944c74...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe

  • Size

    84KB

  • MD5

    71239d39b96b5cdc10d1ff98af0f07d0

  • SHA1

    b89353b7d545270833a56f81f26724510ed5471b

  • SHA256

    1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae

  • SHA512

    646370e996d05d759f933ff7839d46a115a9fe236fa897c7af555400085a96289cb120e7224bb0302f70dd1cb0a84c4ac7ecbdfa25760b3e9c42712cfc6663a5

  • SSDEEP

    1536:V8ysFY6TjMuToZPp0goKKHmGvPQJRWhRDQ/R:7xuQu4n4wJRWi

Score
10/10
guloaderdownloaderguloader

Malware Config

Extracted

Family

guloader

C2

https://onedrive.live.com/download?cid=10C44A5247ACCFDE&resid=10C44A5247ACCFDE%21149&authkey=AKZCgadhv8s_S8Y

xor.base64

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Guloader payload 2 IoCs
    guloader
  • Checks QEMU agent file 2 TTPs 1 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe
    "C:\Users\Admin\AppData\Local\Temp\1f29944c7410239305587dc44c89c9959d5e8da9ef878200eccd4dd71884b9ae.exe"
    1⤵
    • Checks QEMU agent file
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    PID:2508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2508-2-0x00000000003C0000-0x00000000003C8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2508-3-0x0000000076D01000-0x0000000076E02000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2508-4-0x0000000076D00000-0x0000000076EA9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2508-5-0x00000000003C0000-0x00000000003C8000-memory.dmp
    Filesize

    32KB

    Download