Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\#Inv_PI29467018.pdf.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	5504
Target ID:	0
Parent PID:	4004
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\#Inv_PI29467018.pdf.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	02:51:54
Date:	03/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff79c540000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: Script Initiated Connection	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting

URLs

Name

Malicious

http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txt

41.216.183.13

Details

Name:	http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txt
IP:	41.216.183.13
TargetID:	0
From Memory:	false
Current Path:	C:\Windows\System32\wscript.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
IP address seen in connection with other malware	Networking
Sigma detected: Script Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

http://41.216.183.

unknown

http://41.216.183.13/Users_APhO

unknown

http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txt.

unknown

Details

Name:	http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txt.
TargetID:	0
From Memory:	true
Current Path:	C:\Windows\System32\wscript.exe
Source:	wscript.exe, 00000000.00000003.2107759287.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107806609.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107560179.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107894778.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347297777.000002107CC4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107852065.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txtssesROAMIN

unknown

Details

Name:	http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txtssesROAMIN
TargetID:	0
From Memory:	true
Current Path:	C:\Windows\System32\wscript.exe
Source:	wscript.exe, 00000000.00000003.2347247324.000002107ADDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348145195.000002107ADEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347799903.000002107ADEC000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://41.216.183.13/Users_API/gavre

unknown

IPs

Domain

Country

Malicious

41.216.183.13

unknown

South Africa

Details

IP:	41.216.183.13
TargetID:	0
Current Path:	C:\Windows\System32\wscript.exe
Country:	South Africa
Countrycode:	ZAF
ASN number:	40676
ASN name:	AS40676US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

2107CD80000

heap

page read and write

2107CC4D000

heap

page read and write

2107AE5B000

heap

page read and write

2107CD92000

heap

page read and write

2107CC4D000

heap

page read and write

2107D703000

heap

page read and write

2107CC4D000

heap

page read and write

2107ADB0000

heap

page read and write

2107CC42000

heap

page read and write

2107AE5B000

heap

page read and write

2107ADF0000

heap

page read and write

2107D1B0000

heap

page read and write

F8DCCF5000

stack

page read and write

2107CC4D000

heap

page read and write

2107ADDF000

heap

page read and write

2107CC30000

heap

page read and write

2107D703000

heap

page read and write

2107D70B000

heap

page read and write

2107D090000

heap

page read and write

2107AE83000

heap

page read and write

2107AE43000

heap

page read and write

2107D718000

heap

page read and write

2107D2A0000

heap

page read and write

2107AE94000

heap

page read and write

2107D6FC000

heap

page read and write

2107CC3A000

heap

page read and write

2107AE93000

heap

page read and write

2107B055000

heap

page read and write

2107D700000

heap

page read and write

2107CC4E000

heap

page read and write

2107AE8D000

heap

page read and write

2107CD90000

heap

page read and write

2107D020000

heap

page read and write

2107CEF3000

heap

page read and write

2107CC49000

heap

page read and write

2107D100000

heap

page read and write

2107ADEE000

heap

page read and write

2107AE5D000

heap

page read and write

2107D704000

heap

page read and write

2107ADE0000

heap

page read and write

2107CC4D000

heap

page read and write

2107CC32000

heap

page read and write

2107CC4F000

heap

page read and write

2107AE20000

heap

page read and write

2107CC5E000

heap

page read and write

2107D6D1000

heap

page read and write

2107AE3E000

heap

page read and write

F8DD0FE000

stack

page read and write

2107AE2D000

heap

page read and write

2107AE89000

heap

page read and write

F8DD1FF000

stack

page read and write

2107F010000

trusted library allocation

page read and write

2107D6F3000

heap

page read and write

2107CEF5000

heap

page read and write

2107AE0E000

heap

page read and write

2107ADF9000

heap

page read and write

2107AE5D000

heap

page read and write

2107AE20000

heap

page read and write

2107ADDA000

heap

page read and write

2107AD30000

heap

page read and write

2107CD9A000

heap

page read and write

2107AE2F000

heap

page read and write

F8DCDFE000

stack

page read and write

2107AE20000

heap

page read and write

2107CC3E000

heap

page read and write

2107AE3D000

heap

page read and write

2107AE05000

heap

page read and write

2107AE43000

heap

page read and write

2107AE9B000

heap

page read and write

2107AE84000

heap

page read and write

2107D2B0000

trusted library allocation

page read and write

2107D105000

heap

page read and write

2107AE20000

heap

page read and write

2107CC39000

heap

page read and write

2107CC5E000

heap

page read and write

2107D6B0000

heap

page read and write

2107D700000

heap

page read and write

2107D705000

heap

page read and write

2107CC31000

heap

page read and write

2107CEEE000

heap

page read and write

2107AE5B000

heap

page read and write

2107ADF9000

heap

page read and write

2107CC4D000

heap

page read and write

2107AFC0000

heap

page read and write

2107D70B000

heap

page read and write

2107AE5D000

heap

page read and write

2107AD40000

heap

page read and write

2107AE2C000

heap

page read and write

F8DD4FB000

stack

page read and write

2107AE88000

heap

page read and write

2107AE3D000

heap

page read and write

2107AE34000

heap

page read and write

2107CC34000

heap

page read and write

2107AE05000

heap

page read and write

2107AE3C000

heap

page read and write

2107CEE0000

heap

page read and write

2107ADF9000

heap

page read and write

2107ADB7000

heap

page read and write

2107AE43000

heap

page read and write

2107CC32000

heap

page read and write

2107AE83000

heap

page read and write

2107AD60000

heap

page read and write

2107D703000

heap

page read and write

2107D6F9000

heap

page read and write

2107D70A000

heap

page read and write

F8DD2FE000

stack

page read and write

2107AE5B000

heap

page read and write

2107B050000

heap

page read and write

2107CC45000

heap

page read and write

2107AE88000

heap

page read and write

F8DCEFE000

stack

page read and write

2107AE83000

heap

page read and write

2107AE96000

heap

page read and write

2107ADD9000

heap

page read and write

2107AE83000

heap

page read and write

2107AE5D000

heap

page read and write

F8DD3FE000

stack

page read and write

2107AE83000

heap

page read and write

2107AFC4000

heap

page read and write

2107D110000

heap

page read and write

2107CC3E000

heap

page read and write

F8DD5FE000

stack

page read and write

2107D030000

heap

page read and write

2107CC4D000

heap

page read and write

2107CC36000

heap

page read and write

2107AE90000

heap

page read and write

2107ADEC000

heap

page read and write

2107B000000

heap

page read and write

2107AE8F000

heap

page read and write

2107CC33000

heap

page read and write

2107D6CB000

heap

page read and write

2107CC3E000

heap

page read and write

F8DD6FE000

stack

page read and write

2107AE83000

heap

page read and write

2107D6F3000

heap

page read and write

2107CC4D000

heap

page read and write

There are 126 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
#Inv_PI29467018.pdf.vbs

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report#Inv_PI29467018.pdf.vbs

Processes

URLs

IPs

Memdumps

IOC Report
#Inv_PI29467018.pdf.vbs