Source: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe |
Avira: detection malicious, Label: TR/Crypt.XPACK.Gen |
Source: 00000001.00000002.1856097476.0000000000402000.00000040.00000001.01000000.00000006.sdmp |
Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "89.197.154.116", "Port": 7810} |
Source: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe |
ReversingLabs: Detection: 73% |
Source: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe |
Virustotal: Detection: 70% |
Perma Link |
Source: 7echqQm6T4.vbs |
ReversingLabs: Detection: 63% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 95.7% probability |
Source: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe |
Joe Sandbox ML: detected |
Source: |
Initial file: xdUxOVNWNKw.SaveToFile hjAqmAfKjTOghuk, 2 |
Source: global traffic |
TCP traffic: 192.168.2.4:49730 -> 89.197.154.116:7810 |
Source: Joe Sandbox View |
IP Address: 89.197.154.116 89.197.154.116 |
Source: Joe Sandbox View |
IP Address: 89.197.154.116 89.197.154.116 |
Source: Joe Sandbox View |
ASN Name: VIRTUAL1GB VIRTUAL1GB |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 89.197.154.116 |
Source: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe |
Code function: 1_2_004020BF LoadLibraryA,WSASocketA,connect,recv,closesocket, |
1_2_004020BF |
Source: 1.2.ZCKMveGDesw.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown |
Source: 00000001.00000002.1856097476.0000000000402000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY |
Matched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} |
Jump to behavior |
Source: 7echqQm6T4.vbs |
Initial sample: Strings found which are bigger than 50 |
Source: 1.2.ZCKMveGDesw.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23 |
Source: 00000001.00000002.1856097476.0000000000402000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal100.troj.evad.winVBS@3/1@0/1 |
Source: C:\Windows\System32\wscript.exe |
File created: C:\Users\user\AppData\Local\Temp\rad60229.tmp |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7echqQm6T4.vbs" |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 7echqQm6T4.vbs |
ReversingLabs: Detection: 63% |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7echqQm6T4.vbs" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe "C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe "C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe" |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msxml3.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msdart.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Anti Malware Scan Interface: \AppData\Local\Temp\rad60229.tmp");IXMLDOMNode._0000003f("<B64DECODE xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="bin.base64">TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9T");IXMLDOMNode.selectSingleNode("B64DECODE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe", "2");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetTempName();IFileSystem3.CreateFolder("C:\Users\user\AppData\Local\Temp\rad60229.tmp");IXMLDOMNode._0000003f("<B64DECODE xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="bin.base64">TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9T");IXMLDOMNode.selectSingleNode("B64DECODE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe", "0", "true");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetTempName();IFileSystem3.CreateFolder("C:\Users\user\AppData\Local\Temp\rad60229.tmp");IXMLDOMNode._0000003f("<B64DECODE xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="bin.base64">TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9T");IXMLDOMNode.selectSingleNode("B64DECODE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe", "0", "true");IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe") |
Source: ZCKMveGDesw.exe.0.dr |
Static PE information: 0x68F15ECF [Thu Oct 16 21:08:31 2025 UTC] |
Source: ZCKMveGDesw.exe.0.dr |
Static PE information: real checksum: 0x3a46 should be: 0xa084 |
Source: ZCKMveGDesw.exe.0.dr |
Static PE information: section name: .data entropy: 7.471495939925764 |
Source: C:\Windows\System32\wscript.exe |
File created: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe |
Jump to dropped file |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Window found: window name: WSH-Timer |
Jump to behavior |
Source: wscript.exe, 00000000.00000002.1858746137.000002BF004F1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r |
Source: ZCKMveGDesw.exe, 00000001.00000002.1856227332.00000000007AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmm |
Source: C:\Windows\System32\wscript.exe |
File created: ZCKMveGDesw.exe.0.dr |
Jump to dropped file |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe "C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe" |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 1.2.ZCKMveGDesw.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.1856097476.0000000000402000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY |