General
-
Target
GWQOPR308UMK.vbs
-
Size
6KB
-
Sample
220210-gtrf8sfbep
-
MD5
2902fe58837ed5560bb44c8fbfc80189
-
SHA1
9c1001a224f93fd1b6c06fad5ae15595cc57a345
-
SHA256
065a406f34b5752752a396d8cc6778887565860c89ab10ed9f7a8059f216e87f
-
SHA512
28cb4f6cd40532d6a9d48c18e9529c7dbb54d7d05d00e5eaddd278149c14166f2627d4a3febd861f9f5913f30c9e0d11c80a72c52fde6e85c25da8c42a48078d
Static task
static1
Behavioral task
behavioral1
Sample
GWQOPR308UMK.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
GWQOPR308UMK.vbs
Resource
win10v2004-en-20220113
Malware Config
Extracted
http://54.235.58.2/2/Ps1HDF.txt
Extracted
nworm
v0.3.8
nyanmoj.duckdns.org:5057
moneyhope81.duckdns.org:5057
cb2d3cba
Targets
-
-
Target
GWQOPR308UMK.vbs
-
Size
6KB
-
MD5
2902fe58837ed5560bb44c8fbfc80189
-
SHA1
9c1001a224f93fd1b6c06fad5ae15595cc57a345
-
SHA256
065a406f34b5752752a396d8cc6778887565860c89ab10ed9f7a8059f216e87f
-
SHA512
28cb4f6cd40532d6a9d48c18e9529c7dbb54d7d05d00e5eaddd278149c14166f2627d4a3febd861f9f5913f30c9e0d11c80a72c52fde6e85c25da8c42a48078d
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-