Overview

overview

10

Static

static

1

Main_Order.vbs

windows7-x64

8

Main_Order.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2025, 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Main_Order.vbs

  • Size

    963B

  • MD5

    8b5f64100174bb8bafd5ad78d6f2b277

  • SHA1

    f284046c61b75fd44bf55661701c5e15b97efb28

  • SHA256

    64f8d40a94818b9385624dc6237edee725cc7edf78c09da9fd60454a7b1e2cdc

  • SHA512

    ddf8052d129252ff570e2fe21a06a69978cea57b43b75ce6f1dff2a3cb6674df9e5ff6ecec78ef3192e17841c9903823c194e2153fcbaec5268f87bc7dcf7346

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Main_Order.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\DownloadedScript.ps1"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Users\Admin\AppData\Local\Temp\tmp1094.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2928
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          PID:2364
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gFnEPEuEhX.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          PID:2160
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6661.tmp"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2216
        • C:\Users\Admin\AppData\Local\Temp\tmp1094.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"
          4⤵
            PID:1716
          • C:\Users\Admin\AppData\Local\Temp\tmp1094.exe
            "C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"
            4⤵
              PID:2040

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DownloadedScript.ps1
        Filesize

        1.3MB

        MD5

        642647cf863119977d7bd52e848e0cfe

        SHA1

        e72fff2ea6ed161b3d3d6f22c23551b5df46d965

        SHA256

        7eb324d64219307096ea286640458671dc964fb218395d775dc5fe5e7f339e00

        SHA512

        6c5a9d36008c6b88735646517d62706ccd1713fa15beafdee6ca5e0fb3977bb770fc9ecf9111b82b6dcd6c126fc18f6655f195027f72df159a2e63f9c61c734b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp1094.exe
        Filesize

        973KB

        MD5

        6b2ea6f71bd2165cc92875b0b87862de

        SHA1

        913189ac1120dd8aa61658c53e71a0b9c2908c46

        SHA256

        e5aa1acd8c864164ebb1e0c2cfede53df7791f504c1eb1faa15d5f637e938ebd

        SHA512

        b7c207b47738b43b5ee398ac325a5ebc588a74a5b3b16b4f864bf7feff92c627549b3523a1f302b6a42c66803055a931fbf5d181bba7f0c28d770dcc3d146d4a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp1094.exe
        Filesize

        704KB

        MD5

        be43b45393c545c828c778a375df057b

        SHA1

        3d18dc7ce1f2681b3caa99cbe01fe79e717f162c

        SHA256

        8531caff85bb275279c74eeb2aa56d2881e099273d8758967f0c86efe6d3b5cb

        SHA512

        f33fca7dab76c84ff8b34d462737040a9a530674bd830c9077a5dcba3dd5f1a841c7eadde823760da453ec1fe398eb39e55d4728d26395c48e36822e224d9ea4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp1094.exe
        Filesize

        64KB

        MD5

        499c2bc1c2a43ba597a5b40a4ce58274

        SHA1

        131e32f319f25d6b1075f783a93efa985a800820

        SHA256

        978da2b2f3663120e70e6a084c4a23ecab2b8fb07562a02b5821c8f22e5e0425

        SHA512

        95e3074bc9bccc7b116ef83e7e7b1a20760d06156528abd8b07968d8157d8b52f932886f8386774898e4c67adc3521dd6578d3adb65a70a8a1b402316f0c69cb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp1094.exe
        Filesize

        19KB

        MD5

        fac8e85f65c6d2495ab038f325bebe9b

        SHA1

        8dc0ad61d6ad3389c5ca37493a17996cc6079017

        SHA256

        f658d11f4dbda12dbf2bc2a402cb1b873d3e1fc770ae7dd1047eb4a72d5f4633

        SHA512

        c11e9113a088b9e5d62e43fee36e5c9d04f30f7540ac5a4ae592c4a2ce2e8869204c80ebb6e78f07c6022bc321ea0e22947e2725649bffdd84c0bc183b5d471a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp6661.tmp
        Filesize

        1KB

        MD5

        2a8dd08f3a2748ec23032719a2960ffa

        SHA1

        14686f33770f5324e5536d9bdfde5c6ed68d740f

        SHA256

        023d53fdee34f8a8fd108df28b2d6aa1c2b56f7e73848edca760043c3d49d204

        SHA512

        cf6288c7b961325a63d895c57171fc04233279bf00ed9e39ff2dc041804913c6a88a72df4017c0b76dc30216f444cdbbf0fd26948164d4ffee0c4a527fe97185

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KAGMF5IZIQV5XTX82F5B.temp
        Filesize

        7KB

        MD5

        804bdc01889130a365e3b203673dae20

        SHA1

        530e49406ec7023215cbae14e6a7fa924c438479

        SHA256

        8e828cb4afc7c167afd702dfb9d53d16e860bedcc11c5c05690720216111372d

        SHA512

        f73128d969e477b8efa03bd154ee066b96c6d303bd165795839927eefeaff0bdf7bb04791c4340acdc3fbb02d7bb5f54ab08b2be3df435b3cdd0b40ee7afb8b7

        Download Submit

      • \Users\Admin\AppData\Local\Temp\tmp1094.exe
        Filesize

        439KB

        MD5

        38f5c7670065c75095d36f5118e7f6a6

        SHA1

        485d312327b0888aeb2ff3b773fc94828b7cba30

        SHA256

        580ee7501aa1ba16e577f7a6f9af8eddfe0408a58688cbcc099cb0972c539ac3

        SHA512

        0b44ea3bf7e01703fbe1753a99ccec3a1fbbfa6d960a3d2414652057b24c7862787d8679aedd37217d097fc5e4b88357c1c88db47963fd0f6683d336e4af1b1f

        Download Submit

      • memory/348-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/348-62-0x0000000000400000-0x0000000000481000-memory.dmp

        Filesize

        516KB

        Download

      • memory/2756-12-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2756-24-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2756-13-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2756-11-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2756-6-0x000007FEF4FEE000-0x000007FEF4FEF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2756-10-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2756-9-0x000007FEF4D30000-0x000007FEF56CD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2756-8-0x00000000029E0000-0x00000000029E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2756-7-0x000000001B500000-0x000000001B7E2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2928-25-0x00000000005E0000-0x00000000005F8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2928-26-0x0000000004970000-0x0000000004A34000-memory.dmp

        Filesize

        784KB

        Download

      • memory/2928-23-0x0000000000190000-0x0000000000284000-memory.dmp

        Filesize

        976KB

        Download