File name:

UzAuto - Order Invoices 221205_pdf.exe

Full analysis: https://app.any.run/tasks/311b2fac-784d-44dc-bda2-670b2a212121
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Analysis date: December 06, 2022, 01:30:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
guloader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

09CD3F1C1529F7F4FBB7C7FF7BB31855

SHA1:

3BD396B3F5C2AB6330B7A82AE8A2CC3078D67331

SHA256:

FEAD9F557555F4031A6CFDFACAC0DE185BA5941896766920F6421FDAE0BD9ACF

SSDEEP:

6144:zspNjlsMVuz6q7JLWDKoAX1GbfL4iCWyxU+iSwhvuXzQvva83Ai:zczVQ6q+cGM93ZiSwvcqC8D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • UzAuto - Order Invoices 221205_pdf.exe (PID: 1752)
    • GULOADER detected by memory dumps

      • UzAuto - Order Invoices 221205_pdf.exe (PID: 1752)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Checks supported languages

      • UzAuto - Order Invoices 221205_pdf.exe (PID: 1752)
      • UzAuto - Order Invoices 221205_pdf.exe (PID: 576)
      • UzAuto - Order Invoices 221205_pdf.exe (PID: 2592)
    • Manual execution by a user

      • UzAuto - Order Invoices 221205_pdf.exe (PID: 2592)
      • UzAuto - Order Invoices 221205_pdf.exe (PID: 576)
    • Reads the computer name

      • UzAuto - Order Invoices 221205_pdf.exe (PID: 1752)
      • UzAuto - Order Invoices 221205_pdf.exe (PID: 576)
      • UzAuto - Order Invoices 221205_pdf.exe (PID: 2592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2016-Dec-11 21:50:55
Detected languages:
  • English - United States
CompanyName: Udsathedens kolonnetypen Teknikerne
LegalTrademarks: Benchmen Spunsjernets

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 200

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2016-Dec-11 21:50:55
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
25615
26112
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.43907
.rdata
32768
5296
5632
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.03367
.data
40960
176088
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.03309
.ndata
217088
270336
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
487424
175672
176128
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.67775

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.25375
67624
UNKNOWN
English - United States
RT_ICON
2
4.66005
38056
UNKNOWN
English - United States
RT_ICON
3
4.82009
21640
UNKNOWN
English - United States
RT_ICON
4
4.58191
16936
UNKNOWN
English - United States
RT_ICON
5
4.9037
9640
UNKNOWN
English - United States
RT_ICON
6
4.9961
4264
UNKNOWN
English - United States
RT_ICON
7
5.26323
3752
UNKNOWN
English - United States
RT_ICON
8
5.17093
2440
UNKNOWN
English - United States
RT_ICON
9
5.61393
2216
UNKNOWN
English - United States
RT_ICON
10
5.79207
1736
UNKNOWN
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GULOADER uzauto - order invoices 221205_pdf.exe no specs uzauto - order invoices 221205_pdf.exe no specs uzauto - order invoices 221205_pdf.exe

Process information

PID
CMD
Path
Indicators
Parent process
1752"C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe" C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe
Explorer.EXE
User:
admin
Company:
Udsathedens kolonnetypen Teknikerne
Integrity Level:
MEDIUM
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\users\admin\desktop\uzauto - order invoices 221205_pdf.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
576"C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe" C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exeExplorer.EXE
User:
admin
Company:
Udsathedens kolonnetypen Teknikerne
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\uzauto - order invoices 221205_pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
2592"C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe" C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe
Explorer.EXE
User:
admin
Company:
Udsathedens kolonnetypen Teknikerne
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\uzauto - order invoices 221205_pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
291
Read events
287
Write events
4
Delete events
0

Modification events

(PID) Process:(1752) UzAuto - Order Invoices 221205_pdf.exeKey:HKEY_CURRENT_USER\Software\Inadhesive\Pip\Regelmssigere
Operation:writeName:Activises
Value:
%Sporochnus%\Circuminsession\quantal\Borh.Dem
(PID) Process:(576) UzAuto - Order Invoices 221205_pdf.exeKey:HKEY_CURRENT_USER\Software\Inadhesive\Pip\Regelmssigere
Operation:writeName:Activises
Value:
%Sporochnus%\Circuminsession\quantal\Borh.Dem
(PID) Process:(2592) UzAuto - Order Invoices 221205_pdf.exeKey:HKEY_CURRENT_USER\Software\Inadhesive\Pip\Regelmssigere
Operation:writeName:Activises
Value:
%Sporochnus%\Circuminsession\quantal\Borh.Dem
(PID) Process:(2592) UzAuto - Order Invoices 221205_pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Bordvines\forsommerens\Maintaining
Operation:writeName:Sydevropiske
Value:
%Forskrkkes%\Estoil\Blseinstrumenter\Infraglenoid.Umi
Executable files
1
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1752UzAuto - Order Invoices 221205_pdf.exeC:\Users\admin\AppData\Local\Temp\nsdF7CC.tmp\System.dllexecutable
MD5:17ED1C86BD67E78ADE4712BE48A7D2BD
SHA256:BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB
1752UzAuto - Order Invoices 221205_pdf.exeC:\Users\admin\contobelb\Unwithholden\Angelkrog\Misilkrydseren\Undeviousness\semi-starred-symbolic-rtl.svgimage
MD5:13C934BEF141C2DF3E61B9F0D543F0D6
SHA256:70DA430EFFD2BFF6822B5000B6488D4F7B5470BF02B14480982C66137752AC3A
1752UzAuto - Order Invoices 221205_pdf.exeC:\Users\admin\contobelb\Unwithholden\Angelkrog\Skaermfelter\Mirkas\Fere.Skkbinary
MD5:8A501C12CF426E290474421260A2EB5C
SHA256:3EBBEC31703AAD54E8C35DB9C6B97581E83A8EE4AE5BA89B8495F9E07206DCE1
1752UzAuto - Order Invoices 221205_pdf.exeC:\Users\admin\contobelb\Unwithholden\Angelkrog\Unregally\Irlnderens162\selection-end-symbolic.svgimage
MD5:F5BFE249EF4C8E3E07CFF67D67475FB1
SHA256:888E8B29EF0ADF74E8FD49E5AFEFA74C3A06B02343C2D8EEBB62A3B3E92BC472
1752UzAuto - Order Invoices 221205_pdf.exeC:\Users\admin\contobelb\Unwithholden\Angelkrog\Skaermfelter\Mirkas\network-vpn-acquiring-symbolic.svgimage
MD5:70D0AD0BEE8F414E0B1134BD5D6C9FBF
SHA256:D8A7BDF3F06ED9D1446AF5CF47741DBA94CFAF9C333147B598B8E56186843715
1752UzAuto - Order Invoices 221205_pdf.exeC:\Users\admin\contobelb\Unwithholden\Angelkrog\Skaermfelter\Mirkas\Pigsticked.Islbinary
MD5:129B7639680A1CC6E241E3233E1F45E8
SHA256:D6DACE4EEEC76A3F95AF9308D6DD3C2C0B66548E2B2F1F11B017E3106DC59783
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info