Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Passport.vbs

ASCII text, with CRLF line terminators

initial sample

Details

Filetype:	ASCII text, with CRLF line terminators
Entropy:	5.191564133790374
Filename:	Passport.vbs
Filesize:	5114
MD5:	a6e8ec20954128687a0534917c8f9ddd
SHA1:	c0bac2548af02d37b18b16bddb39ccd9ea5f0cc2
SHA256:	aca5887474e22b7be6121c56919953745a7a821311080acbe8970da7ed9479b8
SHA512:	fbc0c1d14c95404731957278809f90295c31447fb08db21b823aa60836e0cb4831967078f21bdb6ca039eac24022e4628cea3007f74a34b553ca138b7d03513d
SSDEEP:	96:iAOyxY2UJlJro6HFAxzc/vO3YFIbCh0JCrcIjxuS4AAJ/kncsd:l9xY2v6lAWuIFoMDcSo/Li
Preview:	If InStr(LCase(WScript.FullName), "windows") > 0 Then.. Else.. ..WScript.Quit..End If..Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")..Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)....For Each objItem in colI

Signature Hits	Behavior Group	Mitre Attack
Java / VBScript file with very long strings (likely obfuscated code)	System Summary	Obfuscated Files or Information

C:\Users\user\AppData\Local\Temp\Passport.vbs

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Passport.vbs
Category:	dropped
Dump:	Passport.vbs.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.191564133790374
Encrypted:	false
Ssdeep:	96:iAOyxY2UJlJro6HFAxzc/vO3YFIbCh0JCrcIjxuS4AAJ/kncsd:l9xY2v6lAWuIFoMDcSo/Li
Size:	5114
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
VBScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper - File	System Summary
Windows Shell Script Host drops VBS files	Persistence and Installation Behavior	Scripting PowerShell
Java / VBScript file with very long strings (likely obfuscated code)	System Summary	Scripting Obfuscated Files or Information
Creates temporary files	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 1 08:00:57 2024, mtime=Tue Oct 1 08:00:57 2024, atime=Tue Oct 1 08:00:56 2024, length=5114, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk
Category:	dropped
Dump:	pesuti.lnk.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 1 08:00:57 2024, mtime=Tue Oct 1 08:00:57 2024, atime=Tue Oct 1 08:00:56 2024, length=5114, window=hide
Entropy:	4.891704371779954
Encrypted:	false
Ssdeep:	24:8mTC6fDfWD8sV89RB4gKPJ3+anqfA4iUdeNCp3qygm:8mTC6vXRBG3PMeQsyg
Size:	1130
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
VBScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\country[1].htm

ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\country[1].htm
Category:	dropped
Dump:	country[1].htm.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Windows\System32\wscript.exe
Type:	ASCII text
Entropy:	1.584962500721156
Encrypted:	false
Ssdeep:	3:z:z
Size:	3
Whitelisted:	true
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\org[1].htm

ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\org[1].htm
Category:	dropped
Dump:	org[1].htm.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	ASCII text
Entropy:	3.930270372293455
Encrypted:	false
Ssdeep:	3:eTFPVXqSn:eTzqSn
Size:	27
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\country[1].htm

ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\country[1].htm
Category:	dropped
Dump:	country[1].htm.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	ASCII text
Entropy:	1.584962500721156
Encrypted:	false
Ssdeep:	3:z:z
Size:	3
Whitelisted:	true
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\org[1].htm

ASCII text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\org[1].htm
Category:	dropped
Dump:	org[1].htm.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Windows\System32\wscript.exe
Type:	ASCII text
Entropy:	3.930270372293455
Encrypted:	false
Ssdeep:	3:eTFPVXqSn:eTzqSn
Size:	27
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\Passport.vbs:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\Passport.vbs:Zone.Identifier
Category:	dropped
Dump:	Passport.vbs_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Java / VBScript file with very long strings (likely obfuscated code)	System Summary	Scripting Obfuscated Files or Information

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	5276
Target ID:	0
Parent PID:	1028
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	05:00:56
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7efb00000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: WScript or CScript Dropper - File	System Summary
Sigma detected: Script Initiated Connection	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\wscript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	5752
Target ID:	2
Parent PID:	1028
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	05:01:09
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7efb00000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: WScript or CScript Dropper - File	System Summary
Sigma detected: Script Initiated Connection	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://185.244.29.74:456/document

185.244.29.74

https://ipinfo.io/org

34.117.59.81

https://ipinfo.io/country

34.117.59.81

https://ipinfo.io/

unknown

http://185.244.29.74:456/documentB

unknown

http://185.244.29.74:456/documentG

unknown

https://ipinfo.io/countryz%

unknown

https://ipinfo.io/country6%

unknown

http://185.244.29.74:456/documentage:

unknown

https://ipinfo.io/countryS

unknown

http://185.244.29.74:456/documentT

unknown

https://ipinfo.io/countryY:

unknown

http://185.244.29.74:456/documentnE

unknown

http://185.244.29.74/j

unknown

http://185.244.29.74:456/documentX

unknown

http://185.244.29.74:456/documentJ

unknown

http://185.244.29.74:456/document32

unknown

http://185.244.29.74:456/document&

unknown

https://ipinfo.io/countryq

unknown

http://185.244.29.74/d1

unknown

http://185.244.29.74:456/document_

unknown

http://185.244.29.74:456/documentr

unknown

http://185.244.29.74:456/documentq

unknown

http://185.244.29.74:456/documentgE

unknown

https://ipinfo.io/countryW

unknown

https://ipinfo.io/org_

unknown

http://185.244.29.74/

unknown

https://ipinfo.io/country_

unknown

There are 18 hidden URLs, click here to show them.

Domains

Name

Malicious

ipinfo.io

34.117.59.81

Details

Name:	ipinfo.io
IP:	34.117.59.81
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
VBScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Sigma detected: Script Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

34.117.59.81

ipinfo.io

United States

Details

IP:	34.117.59.81
TargetID:	0
Current Path:	C:\Windows\System32\wscript.exe
Country:	United States
Countrycode:	USA
ASN number:	139070
ASN name:	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Private:	false
Domain:	ipinfo.io

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Script Initiated Connection to Non-Local Network	System Summary
Sigma detected: Script Initiated Connection	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

185.244.29.74

unknown

Netherlands

Details

IP:	185.244.29.74
TargetID:	0
Current Path:	C:\Windows\System32\wscript.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	209623
ASN name:	DAVID_CRAIGGG
Private:	false

Signature Hits	Behavior Group	Mitre Attack
System process connects to network (likely due to code injection or exploit)	Networking, HIPS / PFW / Operating System Protection Evasion	Process Injection
VBScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

282CCF86000

heap

page read and write

282CCF38000

heap

page read and write

1F2457A0000

heap

page read and write

1F245790000

heap

page read and write

282CAD40000

heap

page read and write

A4F76FE000

stack

page read and write

FEB1FB000

stack

page read and write

282CD040000

heap

page read and write

282CCFBD000

heap

page read and write

1F243560000

heap

page read and write

1F2434E0000

heap

page read and write

282CAD48000

heap

page read and write

A4F77FD000

stack

page read and write

1F2435CE000

heap

page read and write

1F2438FB000

heap

page read and write

282CD630000

heap

page read and write

282CC870000

heap

page read and write

282CAFD5000

heap

page read and write

282CCBC0000

heap

page read and write

1F245373000

heap

page read and write

1F24573B000

heap

page read and write

282CAFDA000

heap

page read and write

282CACC0000

heap

page read and write

282CAFDB000

heap

page read and write

1F2455E0000

heap

page read and write

282CACD0000

heap

page read and write

1F24365D000

heap

page read and write

1F24364C000

heap

page read and write

1F245371000

heap

page read and write

1F2434D0000

heap

page read and write

282CCBCA000

heap

page read and write

FEA715000

stack

page read and write

1F24573D000

heap

page read and write

282CD290000

heap

page read and write

282CCF88000

heap

page read and write

1F2456DE000

heap

page read and write

1F2456B2000

heap

page read and write

1F245940000

heap

page read and write

1F245702000

heap

page read and write

FEADFF000

stack

page read and write

1F245570000

heap

page read and write

A4F71FE000

stack

page read and write

1F245000000

heap

page read and write

282CCBCA000

heap

page read and write

282CCFA3000

heap

page read and write

A4F6B45000

stack

page read and write

1F245675000

heap

page read and write

282CCBC1000

heap

page read and write

1F245630000

remote allocation

page read and write

1F24575D000

heap

page read and write

282CD0C0000

remote allocation

page read and write

1F2456BC000

heap

page read and write

1F24537A000

heap

page read and write

282CAFD0000

heap

page read and write

282CD2E0000

heap

page read and write

1F245950000

trusted library allocation

page read and write

FEB2FF000

stack

page read and write

FEACFD000

stack

page read and write

282CCF03000

heap

page read and write

282CCED0000

heap

page read and write

282CCFB1000

heap

page read and write

282CCEDD000

heap

page read and write

282CAE3E000

heap

page read and write

282CD0C0000

remote allocation

page read and write

282CD000000

heap

page read and write

1F2456AE000

heap

page read and write

282CCF30000

heap

page read and write

282CD150000

heap

page read and write

282CCBCA000

heap

page read and write

282CCBC3000

heap

page read and write

282CACF0000

heap

page read and write

1F243568000

heap

page read and write

282CCEDB000

heap

page read and write

282CD045000

heap

page read and write

282CCBD2000

heap

page read and write

FEAAFD000

stack

page read and write

1F245670000

heap

page read and write

1F2435B7000

heap

page read and write

1F245382000

heap

page read and write

1F2438F0000

heap

page read and write

282CCF46000

heap

page read and write

1F245630000

remote allocation

page read and write

1F24364E000

heap

page read and write

1F245630000

remote allocation

page read and write

282CAE15000

heap

page read and write

282CD0C0000

remote allocation

page read and write

1F24575F000

heap

page read and write

1F2438FA000

heap

page read and write

1F24537A000

heap

page read and write

282CAD94000

heap

page read and write

282CCBC6000

heap

page read and write

A4F6EFC000

stack

page read and write

A4F70FD000

stack

page read and write

1F245696000

heap

page read and write

1F245371000

heap

page read and write

1F243500000

heap

page read and write

282CD480000

heap

page read and write

282CD640000

trusted library allocation

page read and write

1F245376000

heap

page read and write

282CADAD000

heap

page read and write

1F2438F5000

heap

page read and write

1F245714000

heap

page read and write

1F2455D0000

heap

page read and write

1F24537A000

heap

page read and write

There are 94 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Passport.vbs

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPassport.vbs

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
Passport.vbs