Windows Analysis Report Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Overview

General Information

Sample Name: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
Analysis ID: 500597
MD5: 3db65d6cb8c8f1b0e97dfc293d28e295
SHA1: c3fb70c3613ccdcdac2e4a12df17551ab93a88a4
SHA256: 6394c4e126b8ef4cf8e66d43a54cfd42fd86b3003292f621f0ca427bc12051d8
Tags: GuLoadervbs
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Creates a DirectInput object (often for capturing keystrokes)
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}
Multi AV Scanner detection for submitted file
Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs ReversingLabs: Detection: 13%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Joe Sandbox ML: detected

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: AZTEKERNES.exe, 00000003.00000002.762956347.000000000078A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)
Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs Initial sample: Strings found which are bigger than 50
PE file contains strange resources
Source: AZTEKERNES.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_004013E8 3_2_004013E8
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_0040954B 3_2_0040954B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE91AF 3_2_02AE91AF
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AEAB15 3_2_02AEAB15
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE9AA6 3_2_02AE9AA6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE4C08 3_2_02AE4C08
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE247B 3_2_02AE247B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE4E71 3_2_02AE4E71
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE2A45 3_2_02AE2A45
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE2A50 3_2_02AE2A50
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE8DDD 3_2_02AE8DDD
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE81DB 3_2_02AE81DB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE4D6E 3_2_02AE4D6E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE4D43 3_2_02AE4D43
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE91AF NtAllocateVirtualMemory, 3_2_02AE91AF
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Process Stats: CPU usage > 98%
Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs ReversingLabs: Detection: 13%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release
Source: C:\Windows\System32\ipconfig.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew
Source: C:\Windows\System32\ipconfig.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winVBS@9/1@0/0
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: CreateTextFile("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe", "true");ITextStream.WriteLine("MZ");ITextStream.Close();IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe");IWshShell3.Exec("ipconfig.exe /release");IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshShell3.ExpandEnvironmentStrings("%temp%");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe", "true");ITextStream.WriteLine("MZ");ITextStream.Close();IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe");IHost.Sleep("5000");IWshShell3.Run("ipconfig.exe /renew", "0", "true")
Yara detected GuLoader
Source: Yara match File source: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
PE file contains an invalid checksum
Source: AZTEKERNES.exe.0.dr Static PE information: real checksum: 0x22529 should be: 0x22f38
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_00411684 push esi; retn 000Ch 3_2_00411BF9
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_00407A58 pushad ; ret 3_2_00407A93
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_0040980C push esp; iretd 3_2_00409980
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_00405E17 push edi; iretd 3_2_00405E18
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_004098A9 push esp; iretd 3_2_00409980
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_00404531 pushad ; ret 3_2_00404532
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE5486 push esi; iretd 3_2_02AE63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE5480 push ebp; iretd 3_2_02AE5484
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE6222 push edi; ret 3_2_02AE6223
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE5A21 push esi; iretd 3_2_02AE63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE1656 push es; ret 3_2_02AE1682
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE11A4 push ebp; retf 3_2_02AE1163
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE21B0 push cs; retf 3_2_02AE21B9
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE63E9 push esi; iretd 3_2_02AE63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE5DFC push edx; retf 3_2_02AE5DFD
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE112C push ebp; retf 3_2_02AE1163
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE1F3B push cs; retf 3_2_02AE1F43
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE630A push esi; iretd 3_2_02AE63BC
Source: initial sample Static PE information: section name: .text entropy: 6.83637943712

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_0040784E rdtsc 3_2_0040784E
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE89A8 mov eax, dword ptr fs:[00000030h] 3_2_02AE89A8
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AE8F0C mov eax, dword ptr fs:[00000030h] 3_2_02AE8F0C
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_0040784E rdtsc 3_2_0040784E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Code function: 3_2_02AEAB15 RtlAddVectoredExceptionHandler, 3_2_02AEAB15

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: AZTEKERNES.exe.0.dr Jump to dropped file
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew Jump to behavior
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp Binary or memory string: Progman
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
No contacted IP infos