File name:

guloader.exe

Full analysis: https://app.any.run/tasks/91c0b526-30b2-4610-93e1-84dd9ca2cf7d
Verdict: Malicious activity
Analysis date: December 06, 2022, 05:58:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2B40B86C870AB6B0E9B08F26BD231E1A

SHA1:

78A6FC51761C25FE571FEC37CA4BEAA13D7B5D48

SHA256:

6C9C9BD77D704CA8C48A0125289E0E15E75F62F09D40FFAD58A24BD96C3A57C0

SSDEEP:

3072:UwdK6g8IT9xE5GWp1icKAArDZz4N9GhbkrNEk1ACBynjTy9d41bd0XF:VK6g8ITep0yN90QE44joX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Semiha.exe (PID: 3280)
  • SUSPICIOUS

    • Executes via Task Scheduler

      • sipnotify.exe (PID: 1852)
    • Checks for Java to be installed

      • jusched.exe (PID: 2352)
    • Reads settings of System Certificates

      • sipnotify.exe (PID: 1852)
  • INFO

    • Checks supported languages

      • guloader.exe (PID: 2968)
      • Semiha.exe (PID: 3280)
      • IMEKLMG.EXE (PID: 1296)
      • jusched.exe (PID: 2352)
      • IMEKLMG.EXE (PID: 2140)
    • Creates a file in a temporary directory

      • guloader.exe (PID: 2968)
    • Manual execution by a user

      • IMEKLMG.EXE (PID: 1296)
      • IMEKLMG.EXE (PID: 2140)
      • jusched.exe (PID: 2352)
    • Reads the computer name

      • IMEKLMG.EXE (PID: 1296)
      • IMEKLMG.EXE (PID: 2140)
      • jusched.exe (PID: 2352)
    • Process checks are UAC notifies on

      • IMEKLMG.EXE (PID: 1296)
      • IMEKLMG.EXE (PID: 2140)
    • Reads security settings of Internet Explorer

      • sipnotify.exe (PID: 1852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 MS Cabinet Self-Extractor (WExtract stub) (80.4)
.exe | Win32 Executable MS Visual C++ (generic) (8.2)
.exe | Win64 Executable (generic) (7.3)
.dll | Win32 Dynamic Link Library (generic) (1.7)
.exe | Win32 Executable (generic) (1.1)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2014-Oct-31 03:28:47
Detected languages:
  • English - United States
Debug artifacts:
  • wextract.pdb
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.9600.16384 (winblue_rtm.130821-1623)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.9600.16384

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 240

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2014-Oct-31 03:28:47
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
26980
27136
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.35038
.data
32768
6796
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.17593
.idata
40960
4220
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04714
.rsrc
49152
180224
178176
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.46725
.reloc
229376
2240
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.37329

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.0699
1640
Latin 1 / Western European
English - United States
RT_ICON
2
3.15864
744
Latin 1 / Western European
English - United States
RT_ICON
3
3.07737
488
Latin 1 / Western European
English - United States
RT_ICON
4
3.50949
296
Latin 1 / Western European
English - United States
RT_ICON
5
5.56662
3752
Latin 1 / Western European
English - United States
RT_ICON
6
5.94251
2216
Latin 1 / Western European
English - United States
RT_ICON
7
5.99361
1736
Latin 1 / Western European
English - United States
RT_ICON
8
3.37828
1384
Latin 1 / Western European
English - United States
RT_ICON
9
7.98515
55762
Latin 1 / Western European
English - United States
RT_ICON
10
5.33023
9640
Latin 1 / Western European
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
Cabinet.dll
GDI32.dll
KERNEL32.dll
USER32.dll
VERSION.dll
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start guloader.exe no specs semiha.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs jusched.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Users\admin\AppData\Local\Temp\guloader.exe" C:\Users\admin\AppData\Local\Temp\guloader.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.9600.16384 (winblue_rtm.130821-1623)
Modules
Images
c:\users\admin\appdata\local\temp\guloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3280C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exeguloader.exe
User:
admin
Company:
Mapbox
Integrity Level:
MEDIUM
Description:
Mapbox
Exit code:
1073807364
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\semiha.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1852C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\system32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1296"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2140"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
2352"C:\Program Files\Common Files\Java\Java Update\jusched.exe" C:\Program Files\Common Files\Java\Java Update\jusched.exeExplorer.EXE
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java Update Scheduler
Exit code:
4294967292
Version:
2.8.271.9
Modules
Images
c:\program files\common files\java\java update\jusched.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
Total events
3 178
Read events
3 162
Write events
16
Delete events
0

Modification events

(PID) Process:(1296) IMEKLMG.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\IMEJP\14.0
Operation:writeName:SetPreload
Value:
1
(PID) Process:(2140) IMEKLMG.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\IMEKR\14.0
Operation:writeName:SetPreload
Value:
1
(PID) Process:(1852) sipnotify.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2968guloader.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exeexecutable
MD5:AE871D1957030344D4CEFC7295A1E964
SHA256:6F8A836D10EADA55BB1D3901CEB5B97711AFC9F7018E3BD0F0A8E77521F18E5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1852
sipnotify.exe
HEAD
200
23.203.90.83:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133147799501510000
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1852
sipnotify.exe
23.203.90.83:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 23.203.90.83
whitelisted

Threats

No threats detected
No debug info