| File name: | origin.exe |
| Full analysis: | https://app.any.run/tasks/4fbbae31-0bc3-4656-add8-36d8b0a0c416 |
| Verdict: | Malicious activity |
| Threats: | GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. |
| Analysis date: | July 02, 2024, 13:34:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | EF67E0B6CBA9F9B75EBB34C4D97FD51D |
| SHA1: | AE6669CE613C406589249191FB47B4F603691D88 |
| SHA256: | 1C99743331FA5D8B8BECB697DA92FA812577DFDA846DA826DB0105474ED449B1 |
| SSDEEP: | 24576:K7Dw0KQBXFC5XI9k3DRdDxTWGfXqWWubqHU34IgYNfW+YEAQbebFMOk0n:K7Dw0DVCxI9k3DRdDxqGf6WWubqHUoIs |
MALICIOUS
Drops the executable file immediately after the start
- origin.exe (PID: 3380)
- powershell.exe (PID: 3532)
Run PowerShell with an invisible window
- powershell.exe (PID: 3532)
GULOADER has been detected
- origin.exe (PID: 3380)
Changes the autorun value in the registry
- reg.exe (PID: 3124)
GULOADER has been detected (YARA)
- wab.exe (PID: 2944)
GULOADER SHELLCODE has been detected (YARA)
- wab.exe (PID: 2944)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- origin.exe (PID: 3380)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 3532)
- wab.exe (PID: 2944)
Converts a specified value to a byte (POWERSHELL)
- powershell.exe (PID: 3532)
Evaluates numerical expressions in cmd (potential data obfuscation)
- powershell.exe (PID: 3532)
Converts a string into array of characters (POWERSHELL)
- powershell.exe (PID: 3532)
Gets information about processes (POWERSHELL)
- powershell.exe (PID: 3532)
Executable content was dropped or overwritten
- powershell.exe (PID: 3532)
Reads security settings of Internet Explorer
- wab.exe (PID: 2944)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 2076)
Reads settings of System Certificates
- wab.exe (PID: 2944)
Adds/modifies Windows certificates
- wab.exe (PID: 2944)
Checks Windows Trust Settings
- wab.exe (PID: 2944)
Reads the Internet Settings
- wab.exe (PID: 2944)
INFO
Checks supported languages
- origin.exe (PID: 3380)
- wab.exe (PID: 2944)
Reads the computer name
- origin.exe (PID: 3380)
- wab.exe (PID: 2944)
Create files in a temporary directory
- origin.exe (PID: 3380)
Creates files or folders in the user directory
- origin.exe (PID: 3380)
- wab.exe (PID: 2944)
Gets data length (POWERSHELL)
- powershell.exe (PID: 3532)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 3532)
Converts byte array into ASCII string (POWERSHELL)
- powershell.exe (PID: 3532)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 3532)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 3532)
Checks proxy server information
- wab.exe (PID: 2944)
Reads the machine GUID from the registry
- wab.exe (PID: 2944)
Reads the software policy settings
- wab.exe (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:12:16 00:50:50+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 25088 |
| InitializedDataSize: | 118784 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x3384 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.1.0.0 |
| ProductVersionNumber: | 1.1.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | teaktrsbordenes intonationens |
| FileVersion: | 1.1.0.0 |
| InternalName: | kattepoter.exe |
| LegalCopyright: | smartism |
| LegalTrademarks: | superbes |
| OriginalFileName: | kattepoter.exe |
| ProductName: | calicle sndagsbilisternes jacktar |
Total processes
46
Monitored processes
6
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2076 | "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Honeyedness" /t REG_EXPAND_SZ /d "%Fredskonferencer% -windowstyle minimized $Scungili155=(Get-ItemProperty -Path 'HKCU:\Talerrets85\').Forstrkende;%Fredskonferencer% ($Scungili155)" | C:\Windows\System32\cmd.exe | — | wab.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2944 | "C:\Program Files\windows mail\wab.exe" | C:\Program Files\windows mail\wab.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Contacts Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3124 | REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Honeyedness" /t REG_EXPAND_SZ /d "%Fredskonferencer% -windowstyle minimized $Scungili155=(Get-ItemProperty -Path 'HKCU:\Talerrets85\').Forstrkende;%Fredskonferencer% ($Scungili155)" | C:\Windows\System32\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3192 | "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3380 | "C:\Users\admin\AppData\Local\Temp\origin.exe" | C:\Users\admin\AppData\Local\Temp\origin.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 4294967295 Version: 1.1.0.0 Modules
| |||||||||||||||
| 3532 | "powershell.exe" -windowstyle hidden "$Koinciderende=Get-Content 'C:\Users\admin\AppData\Local\hotdoggen\Rudderstock\Serious.Ret';$Cervuline=$Koinciderende.SubString(1098,3);.$Cervuline($Koinciderende)" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | origin.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
Total events
9 841
Read events
9 611
Write events
216
Delete events
14
Modification events
| (PID) Process: | (3380) origin.exe | Key: | HKEY_CURRENT_USER\lithosiidae\Husholdningens\unfreighting |
| Operation: | write | Name: | Blindgydes102 |
Value: %vitaminrighedens%\tilgrisning\disrelated.unn | |||
| (PID) Process: | (3380) origin.exe | Key: | HKEY_CURRENT_USER\Accommodatingness\Uninstall\karyatidens |
| Operation: | write | Name: | Allindelille29 |
Value: 1 | |||
| (PID) Process: | (3380) origin.exe | Key: | HKEY_CURRENT_USER\retrofired\unscathedly |
| Operation: | write | Name: | insurrectionaries |
Value: FF9F48AC | |||
| (PID) Process: | (2944) wab.exe | Key: | HKEY_CURRENT_USER\Talerrets85 |
| Operation: | write | Name: | Forstrkende |
Value: $Koinciderende=Get-Content 'C:\Users\admin\AppData\Local\hotdoggen\Rudderstock\Serious.Ret';$Cervuline=$Koinciderende.SubString(1098,3);.$Cervuline($Koinciderende) | |||
| (PID) Process: | (2944) wab.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2944) wab.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2944) wab.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2944) wab.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2944) wab.exe | Key: | HKEY_CURRENT_USER\Environment |
| Operation: | write | Name: | Fredskonferencer |
Value: c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe | |||
| (PID) Process: | (3124) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Honeyedness |
Value: %Fredskonferencer% -windowstyle minimized $Scungili155=(Get-ItemProperty -Path 'HKCU:\Talerrets85\').Forstrkende;%Fredskonferencer% ($Scungili155) | |||
Executable files
1
Suspicious files
6
Text files
2
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3380 | origin.exe | C:\Users\admin\AppData\Local\Temp\nsnE404.tmp | — | |
MD5:— | SHA256:— | |||
| 2944 | wab.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | binary | |
MD5:153636790FE043FD390C07D59A044E5C | SHA256:C7F2D44931E9B3F124E4A1FA03EED5E6637B52346962B635F5FB5AEEC1AA42F3 | |||
| 3380 | origin.exe | C:\Users\admin\AppData\Local\hotdoggen\Rudderstock\Dual.blo | abr | |
MD5:342C061E1A0D56CCE0F0E10B0D8CE1A0 | SHA256:567410409DD4450BD0518EF2CA6C35A7DBBEBF2FA11B839D21559EA0E53CCCC4 | |||
| 2944 | wab.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 | der | |
MD5:1BFE0A81DB078EA084FF82FE545176FE | SHA256:5BA8817F13EEE00E75158BAD93076AB474A068C6B52686579E0F728FDA68499F | |||
| 2944 | wab.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | der | |
MD5:2365869258DF7A66A2121B802CA4AFD9 | SHA256:D6B1932822BBD72A8E78C771717D992142348F67D625A42393719FEFBE59B0ED | |||
| 3380 | origin.exe | C:\Users\admin\AppData\Local\hotdoggen\Rudderstock\Serious.Ret | text | |
MD5:9EE2F522A546C0B7FECF09B17460B556 | SHA256:0AE53222A387F65D7B6BEECBB4905C27C2EF58190F858FE9F968F4B1E3A4B6FB | |||
| 3380 | origin.exe | C:\Users\admin\AppData\Local\hotdoggen\Rudderstock\spndte.hep | abr | |
MD5:B7374B7CB17569B99B2C3725C0DA917E | SHA256:140F62657B72F3D20BADCBF5D7116D7A21C96D4A398EC753D262A320CA67FB86 | |||
| 3532 | powershell.exe | C:\Users\admin\AppData\Local\hotdoggen\Rudderstock\origin.exe | executable | |
MD5:EF67E0B6CBA9F9B75EBB34C4D97FD51D | SHA256:1C99743331FA5D8B8BECB697DA92FA812577DFDA846DA826DB0105474ED449B1 | |||
| 2944 | wab.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:23728C099A9C725FB4E5CCF255680751 | SHA256:18F108315C3720783875302CCA5EF5C28D2862BCBB2CDE2460371D1CED5CD36A | |||
| 3380 | origin.exe | C:\Users\admin\AppData\Local\hotdoggen\Rudderstock\Affring.par | abr | |
MD5:A9ED1F3247B37A7BF54F55E17CE0495B | SHA256:8A9FD447203005A48E9F314731F6365D2914C3D5AF8878293F0957DA62DC026D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2944 | wab.exe | GET | 304 | 173.222.108.226:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d6bb01e3d4492873 | unknown | — | — | unknown |
— | — | GET | 200 | 216.58.206.35:80 | http://c.pki.goog/r/gsr1.crl | unknown | — | — | unknown |
1060 | svchost.exe | GET | 304 | 2.19.126.163:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b | unknown | — | — | unknown |
— | — | GET | 200 | 216.58.206.35:80 | http://c.pki.goog/r/r4.crl | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1372 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2944 | wab.exe | 188.114.96.3:443 | blissfulbrook.za.com | CLOUDFLARENET | NL | unknown |
2944 | wab.exe | 173.222.108.226:80 | ctldl.windowsupdate.com | Akamai International B.V. | CH | unknown |
2944 | wab.exe | 216.58.206.35:80 | c.pki.goog | GOOGLE | US | whitelisted |
1060 | svchost.exe | 2.19.126.163:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
dns.msftncsi.com |
| shared |
blissfulbrook.za.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
c.pki.goog |
| unknown |