File name: | guloader.exe |
Full analysis: | https://app.any.run/tasks/91c0b526-30b2-4610-93e1-84dd9ca2cf7d |
Verdict: | Malicious activity |
Analysis date: | December 06, 2022, 05:58:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 2B40B86C870AB6B0E9B08F26BD231E1A |
SHA1: | 78A6FC51761C25FE571FEC37CA4BEAA13D7B5D48 |
SHA256: | 6C9C9BD77D704CA8C48A0125289E0E15E75F62F09D40FFAD58A24BD96C3A57C0 |
SSDEEP: | 3072:UwdK6g8IT9xE5GWp1icKAArDZz4N9GhbkrNEk1ACBynjTy9d41bd0XF:VK6g8ITep0yN90QE44joX |
.exe | | | Win32 MS Cabinet Self-Extractor (WExtract stub) (80.4) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (8.2) |
.exe | | | Win64 Executable (generic) (7.3) |
.dll | | | Win32 Dynamic Link Library (generic) (1.7) |
.exe | | | Win32 Executable (generic) (1.1) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2014-Oct-31 03:28:47 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Microsoft Corporation |
FileDescription: | Win32 Cabinet Self-Extractor |
FileVersion: | 11.00.9600.16384 (winblue_rtm.130821-1623) |
InternalName: | Wextract |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFilename: | WEXTRACT.EXE .MUI |
ProductName: | Internet Explorer |
ProductVersion: | 11.00.9600.16384 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 240 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2014-Oct-31 03:28:47 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 26980 | 27136 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.35038 |
.data | 32768 | 6796 | 1024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.17593 |
.idata | 40960 | 4220 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.04714 |
.rsrc | 49152 | 180224 | 178176 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.46725 |
.reloc | 229376 | 2240 | 2560 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.37329 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.0699 | 1640 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 3.15864 | 744 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.07737 | 488 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 3.50949 | 296 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.56662 | 3752 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 5.94251 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 5.99361 | 1736 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 3.37828 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 7.98515 | 55762 | Latin 1 / Western European | English - United States | RT_ICON |
10 | 5.33023 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
Cabinet.dll |
GDI32.dll |
KERNEL32.dll |
USER32.dll |
VERSION.dll |
msvcrt.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2968 | "C:\Users\admin\AppData\Local\Temp\guloader.exe" | C:\Users\admin\AppData\Local\Temp\guloader.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Win32 Cabinet Self-Extractor Exit code: 0 Version: 11.00.9600.16384 (winblue_rtm.130821-1623) Modules
| |||||||||||||||
3280 | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exe | — | guloader.exe | |||||||||||
User: admin Company: Mapbox Integrity Level: MEDIUM Description: Mapbox Exit code: 1073807364 Version: 1.00 Modules
| |||||||||||||||
1852 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\system32\sipnotify.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: sipnotify Exit code: 0 Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
1296 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
2140 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
2352 | "C:\Program Files\Common Files\Java\Java Update\jusched.exe" | C:\Program Files\Common Files\Java\Java Update\jusched.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java Update Scheduler Exit code: 4294967292 Version: 2.8.271.9 Modules
|
(PID) Process: | (1296) IMEKLMG.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\IMEJP\14.0 |
Operation: | write | Name: | SetPreload |
Value: 1 | |||
(PID) Process: | (2140) IMEKLMG.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\IMEKR\14.0 |
Operation: | write | Name: | SetPreload |
Value: 1 | |||
(PID) Process: | (1852) sipnotify.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2968 | guloader.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exe | executable | |
MD5:AE871D1957030344D4CEFC7295A1E964 | SHA256:6F8A836D10EADA55BB1D3901CEB5B97711AFC9F7018E3BD0F0A8E77521F18E5B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1852 | sipnotify.exe | HEAD | 200 | 23.203.90.83:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133147799501510000 | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1852 | sipnotify.exe | 23.203.90.83:80 | query.prod.cms.rt.microsoft.com | AKAMAI-AS | DE | unknown |
Domain | IP | Reputation |
---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |