Edit tour
Windows
Analysis Report
6724f91d7b54a.vbs
Overview
General Information
| Sample name: | 6724f91d7b54a.vbs |
| Analysis ID: | 1546873 |
| MD5: | 41aa2d51c499e17d2ce51106a85f3d69 |
| SHA1: | fa84618e62625683fcfd6828112a485d450bb903 |
| SHA256: | 801b5e73f7824b75f2af42a0ecb466cde6855b5d8e5e31d3009ec3af8ca39308 |
| Tags: | geoGrandoreiroMEXPRTvbsuser-NDA0E |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Excessive usage of taskkill to terminate processes
Overwrites code with function prologues
Potential malicious VBS script found (has network functionality)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Uses ipconfig to lookup or modify the Windows network settings
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2012 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\6724f 91d7b54a.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
CSRPS.exe (PID: 7668 cmdline: "C:\_6724f 91d7b3cb\C SRPS.exe" MD5: 74D3F521A38B23CD25ED61E4F8D99F16) 
cmd.exe (PID: 7752 cmdline: "C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
taskkill.exe (PID: 7916 cmdline: taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3088 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2500 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7764 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7792 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 4920 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3380 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5192 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7772 cmdline:
cmd.exe /c ipconfig /flushdns MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 8008 cmdline:
ipconfig / flushdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - cmd.exe (PID: 7816 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 8084 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 6380 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2092 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 6596 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 7880 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 8056 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 1964 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 6204 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7928 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 8132 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3920 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4808 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 8016 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 6220 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2260 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4332 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 8096 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 700 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4304 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 8168 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 608 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2176 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3628 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 7292 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 4308 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - Conhost.exe (PID: 2324 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2908 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5144 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| PlugXStrings | PlugX Identifying Strings | Seth Hardy |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |   |
|---|
| Source: | Author: frack113, Florian Roth: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Michael Haag: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-01T16:59:27.203432+0100 | 2022930 | 1 | A Network Trojan was detected | 4.175.87.197 | 443 | 192.168.2.7 | 49751 | TCP |
| 2024-11-01T17:00:07.321247+0100 | 2022930 | 1 | A Network Trojan was detected | 52.149.20.212 | 443 | 192.168.2.7 | 49960 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Binary or memory string: | memstr_64255611-2 | |
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 11_2_6FEAC2D0 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Initial file: | ||
| Source: | Initial file: | ||
| Source: | Process created: | ||
| Source: | IP Address: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||