Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ORDER_001.vbs

ASCII text, with CRLF line terminators

initial sample

Details

Filetype:	ASCII text, with CRLF line terminators
Entropy:	5.2314432397951105
Filename:	ORDER_001.vbs
Filesize:	170912
MD5:	2da95c45a16570fe5a54d7d69c0a4660
SHA1:	47686ceac80fef7a3b5402ca2f72e09d1b5827f8
SHA256:	3e18c135dee79e6de78802901e67f1115d4c39ba4a197981543169fed415181f
SHA512:	98ad196a6bfde7706d054f6f5a95fa646e7d8625e403627f188bc291202bb18dc01be8223ea8ceb03df85c678518ab92a417d58d80035a7f623daeb4e3436bb7
SSDEEP:	3072:dfSS2STehMCUzYthJshBKhA3s7kUHuXSk4HvzA6EE6RH1OexwQU+qKJ58mkkgNv9:dfSS2SihDUzYtPshBKhA3hUHuXSk4Pz3
Preview:	..........Mhedsbehovenesfore = "Meike" & "Cohomology" ..............Const Tritonerne135 = "vrangvilliges militrbataljon."..Const Taktlst = -34359..Const Omsejlings = &H3519..Const Peritonaeum = &H2AB1..Const Haspicol = "Nonadjustive, pupated"..Const Badmi

Signature Hits	Behavior Group	Mitre Attack
Java / VBScript file with very long strings (likely obfuscated code)	System Summary	Obfuscated Files or Information

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F8008506.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Entropy:	7.996617769952133
Encrypted:	true
Ssdeep:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
Size:	71954
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Category:	dropped
Dump:	77EC63BDA74BD0D0E0426DC8F80085060.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	data
Entropy:	2.9844219596585932
Encrypted:	false
Ssdeep:	6:kK57D9Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:YD9LNkPlE99SNxAhUe/
Size:	290
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	6320
Target ID:	0
Parent PID:	4004
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER_001.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	01:49:56
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff79c9a0000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting

Domains

Name

Malicious

windowsupdatebg.s.llnwi.net

87.248.204.0

Memdumps

Base Address

Regiontype

Protect

Malicious

1706B037000

heap

page read and write

1706AF44000

heap

page read and write

1706AE3A000

heap

page read and write

1706AF33000

heap

page read and write

1706ADF1000

heap

page read and write

1706B1C0000

heap

page read and write

1706AE11000

heap

page read and write

1706AE2D000

heap

page read and write

1706AE0E000

heap

page read and write

1706AFC8000

heap

page read and write

1706AF40000

heap

page read and write

1706AE06000

heap

page read and write

1706B020000

heap

page read and write

1706ADF9000

heap

page read and write

1706AA00000

remote allocation

page read and write

1706B056000

heap

page read and write

1706AF71000

heap

page read and write

1706AF5B000

heap

page read and write

1706B001000

heap

page read and write

1706B00C000

heap

page read and write

17068F23000

heap

page read and write

1706ADFE000

heap

page read and write

1706AF0A000

heap

page read and write

1706AF3E000

heap

page read and write

17068F72000

heap

page read and write

1706AFD8000

heap

page read and write

170690E0000

heap

page read and write

1706AFFC000

heap

page read and write

1706AE0C000

heap

page read and write

1706AFC5000

heap

page read and write

1706AEE9000

heap

page read and write

1706B047000

heap

page read and write

1706AEC1000

heap

page read and write

1706AE48000

heap

page read and write

1706AF3E000

heap

page read and write

1706B060000

heap

page read and write

1706AE22000

heap

page read and write

C2E5FD000

stack

page read and write

1706AF71000

heap

page read and write

1706AF31000

heap

page read and write

1706ADEB000

heap

page read and write

1706AEC0000

heap

page read and write

1706AFA9000

heap

page read and write

1706B23E000

heap

page read and write

1706B043000

heap

page read and write

1706AF60000

heap

page read and write

1706ADEE000

heap

page read and write

1706AA70000

heap

page read and write

1706AA00000

remote allocation

page read and write

1706B060000

heap

page read and write

1706B025000

heap

page read and write

1706AF9D000

heap

page read and write

1706B05C000

heap

page read and write

1706B212000

heap

page read and write

1706B02D000

heap

page read and write

1706AE09000

heap

page read and write

17068F66000

heap

page read and write

1706AE32000

heap

page read and write

1706ADE9000

heap

page read and write

1706ADC1000

heap

page read and write

1706AF44000

heap

page read and write

1706AFD0000

heap

page read and write

1706AE35000

heap

page read and write

1706B060000

heap

page read and write

1706AF44000

heap

page read and write

1706ADDD000

heap

page read and write

1706B05B000

heap

page read and write

1706AE43000

heap

page read and write

17068F4F000

heap

page read and write

1706AF87000

heap

page read and write

1706B009000

heap

page read and write

1706ADC1000

heap

page read and write

1706AE3E000

heap

page read and write

1706AF71000

heap

page read and write

1706B030000

heap

page read and write

17068F51000

heap

page read and write

1706AF13000

heap

page read and write

1706AA00000

remote allocation

page read and write

1706ADEA000

heap

page read and write

17068E89000

heap

page read and write

1706B23F000

heap

page read and write

1706AE2A000

heap

page read and write

1706B018000

heap

page read and write

1706ADCA000

heap

page read and write

17068E80000

heap

page read and write

17068F90000

heap

page read and write

1706AF71000

heap

page read and write

1706B109000

heap

page read and write

1706B291000

heap

page read and write

17068F72000

heap

page read and write

17068F7D000

heap

page read and write

1706AFF9000

heap

page read and write

1706B015000

heap

page read and write

1706ADC0000

heap

page read and write

1706AFF1000

heap

page read and write

1706AFD5000

heap

page read and write

1706AFC1000

heap

page read and write

1706AF44000

heap

page read and write

1706AF44000

heap

page read and write

1706AF71000

heap

page read and write

1706AF40000

heap

page read and write

17069090000

heap

page read and write

1706AF31000

heap

page read and write

1706B060000

heap

page read and write

1706AFCD000

heap

page read and write

C2E6FE000

stack

page read and write

1706AE01000

heap

page read and write

1706AF87000

heap

page read and write

170690E8000

heap

page read and write

1706AF87000

heap

page read and write

C2E3FF000

stack

page read and write

1706B03A000

heap

page read and write

1706AE19000

heap

page read and write

1706AEE8000

heap

page read and write

1706AF60000

heap

page read and write

1706AE25000

heap

page read and write

1706B26C000

heap

page read and write

1706ADF6000

heap

page read and write

1706AF40000

heap

page read and write

1706AF87000

heap

page read and write

1706AFE4000

heap

page read and write

C2E2FA000

stack

page read and write

1706B060000

heap

page read and write

1706AE4A000

heap

page read and write

1706AF33000

heap

page read and write

1706B056000

heap

page read and write

1706B028000

heap

page read and write

1706ADC3000

heap

page read and write

1706B1C1000

heap

page read and write

1706B33C000

heap

page read and write

1706AE16000

heap

page read and write

1706AF33000

heap

page read and write

1706AF33000

heap

page read and write

1706AF87000

heap

page read and write

17068F30000

heap

page read and write

1706B1ED000

heap

page read and write

1706AFEC000

heap

page read and write

17068F72000

heap

page read and write

17069070000

heap

page read and write

1706AE47000

heap

page read and write

170690E5000

heap

page read and write

1706ADD2000

heap

page read and write

1706AF64000

heap

page read and write

1706B04A000

heap

page read and write

1706AFF4000

heap

page read and write

1706AF5B000

heap

page read and write

1706AF44000

heap

page read and write

1706B032000

heap

page read and write

1706ADE6000

heap

page read and write

1706AEC1000

heap

page read and write

1706ADDA000

heap

page read and write

1706B23E000

heap

page read and write

1706B004000

heap

page read and write

1706AFE1000

heap

page read and write

1706AF5F000

heap

page read and write

1706AF5C000

heap

page read and write

1706AF60000

heap

page read and write

1706AF96000

heap

page read and write

1706B01D000

heap

page read and write

1706ADEB000

heap

page read and write

1706AFE9000

heap

page read and write

1706AFC0000

heap

page read and write

There are 152 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ORDER_001.vbs

Files

Processes

Domains

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportORDER_001.vbs

Files

Processes

Domains

Memdumps

IOC Report
ORDER_001.vbs