Overview

overview

10

Static

static

sample (copy).vbs

windows7_x64

8

sample (copy).vbs

windows10_x64

10

Analysis

  • max time kernel
    11s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-01-2021 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample (copy).vbs

  • Size

    868KB

  • MD5

    9a4970c5db150a6a0bfc85a5cb626a05

  • SHA1

    ffd56a1a06736bc8b46e1c1353a4810efe4b0b4b

  • SHA256

    755577c3823e7282582c80e58f4d0bbfb3f6ada39bc8c5746a2ede25fb24fb4e

  • SHA512

    38a6e342e0d5ae99c1188045ec4c20b779a6c2c5c5337b226332722e824bb3836c1eea4f66b3a010bd651413f8152d9d801b6ab74327affcd9f74aa5b5402d5d

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sample (copy).vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
      "C:\Users\Admin\AppData\Local\Temp\gghhkk.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:1452
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          3⤵
            PID:1624
          • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
            "C:\Users\Admin\AppData\Local\Temp\gghhkk.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1500
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              4⤵
                PID:540
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                4⤵
                  PID:792
                • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
                  "C:\Users\Admin\AppData\Local\Temp\gghhkk.exe"
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:1540
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    5⤵
                      PID:436
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c cls
                      5⤵
                        PID:928
                      • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
                        "C:\Users\Admin\AppData\Local\Temp\gghhkk.exe"
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:1028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c cls
                          6⤵
                            PID:1176
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c cls
                            6⤵
                              PID:1224
                            • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
                              "C:\Users\Admin\AppData\Local\Temp\gghhkk.exe"
                              6⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:760
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c cls
                                7⤵
                                  PID:304
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c cls
                                  7⤵
                                    PID:1532

                      Network

                      MITRE ATT&CK Matrix

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • \Users\Admin\AppData\Local\Temp\gghhkk.exe
                        MD5

                        d6351381a4847bf7b801a483efa9d619

                        SHA1

                        cd5a7a54d54a7f6649f997bf7c812f0aaa9f4253

                        SHA256

                        eca0f238bd7164fb9756e5e086598494cd6515a8e0f5d03b6e66771647de522e

                        SHA512

                        af9029477105733ca67299ae692dd6c2c3fde2ec17da62ccd7a9351526308704c6b75fd81a0229c25cd61e04d52e5fbd604fed3a4dbb1d6ceb875e31bf620f43

                        Download Submit
                      • memory/304-26-0x0000000000000000-mapping.dmp
                        Download
                      • memory/436-16-0x0000000000000000-mapping.dmp
                        Download
                      • memory/540-11-0x0000000000000000-mapping.dmp
                        Download
                      • memory/760-24-0x0000000000000000-mapping.dmp
                        Download
                      • memory/792-12-0x0000000000000000-mapping.dmp
                        Download
                      • memory/928-17-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1028-19-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1108-4-0x00000000026C0000-0x00000000026C4000-memory.dmp
                        Filesize

                        16KB

                        Download
                      • memory/1176-21-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1224-22-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1260-2-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1452-5-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1500-9-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1532-27-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1540-14-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1624-6-0x0000000000000000-mapping.dmp
                        Download