Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

7echqQm6T4.vbs

ASCII text, with very long lines (6218), with CRLF, LF line terminators

initial sample

Details

Filetype:	ASCII text, with very long lines (6218), with CRLF, LF line terminators
Entropy:	5.07064996686479
Filename:	7echqQm6T4.vbs
Filesize:	7401
MD5:	8b6023cfc635be3b5177a3c56c0fd3da
SHA1:	f1b0b6707360ee89c2527766bb5d083a9d1b23f9
SHA256:	1285acf603d60eec23bc6bbb03f1ea9ce480af90d54ed3ee7a64e4a88cffc32e
SHA512:	662b19031d263206dd778b9ba15a9bfb104f571a2789da746af1000a82f90bb740cfa81c3fd151da0a2ccd050405040c94ed7fbbf82697befb2424af77dc8d73
SSDEEP:	96:aRLU5eXOqJrYi+MmxhEGWSE7ATSkHf/D0D45XbiNU1wqh:8LUpI7+Mm/EGwAhj5+NU2qh
Preview:	Function UZEiuZKTo(ulaeVEsqOMeUND)..TvsBfUeMzES = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-microsoft-com:datatypes" & Chr(34) & " " & _..."dt:dt=" & Chr(34) & "bin.base64" & Chr(34) & ">" & _...ulaeVEsqOMeUND & "</B64DECODE>"..Set tvrpegBvvu = Creat

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Java / VBScript file with very long strings (likely obfuscated code)	System Summary
Sample is known by Antivirus	System Summary

C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe

PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe
Category:	dropped
Dump:	ZCKMveGDesw.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\wscript.exe
Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy:	5.935974640993666
Encrypted:	false
Ssdeep:	96:RpV+P/Qzx1m1n4dZsU3AtIrTLdHxk6nSz:1NItGLdH1Sz
Size:	4651
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
VBScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Machine Learning detection for dropped file	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

Processes

Path

Cmdline

Malicious

C:\Windows\System32\wscript.exe

C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7echqQm6T4.vbs"

Details

Is windows:	true
Is dropped:	false
PID:	7400
Target ID:	0
Parent PID:	2580
Name:	wscript.exe
Class:	wscript
Path:	C:\Windows\System32\wscript.exe
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\7echqQm6T4.vbs"
Size:	170496
MD5:	A47CBE969EA935BDD3AB568BB126BC80
Time:	03:53:20
Date:	08/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	false
Is elevated:	false
Modulebase:	0x7ff7ca850000
Modulesize:	184320
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: WScript or CScript Dropper	System Summary
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript	System Summary
Executes visual basic scripts	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe

"C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7448
Target ID:	1
Parent PID:	7400
Name:	ZCKMveGDesw.exe
Path:	C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe
Commandline:	"C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe"
Size:	4651
MD5:	6E75EC809A1441CDF41202C57B899D1B
Time:	03:53:20
Date:	08/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	16384
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Benign windows process drops PE files	HIPS / PFW / Operating System Protection Evasion	Exploitation for Client Execution
VBScript performs obfuscated calls to suspicious functions	Data Obfuscation	Scripting
Yara detected Metasploit Payload	Remote Access Functionality
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection

IPs

Domain

Country

Malicious

89.197.154.116

unknown

United Kingdom

Details

IP:	89.197.154.116
TargetID:	1
Current Path:	C:\Users\user\AppData\Local\Temp\rad60229.tmp\ZCKMveGDesw.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	47474
ASN name:	VIRTUAL1GB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

unkown

page execute and read and write

2BF0045B000

heap

page read and write

2BF004A5000

heap

page read and write

2BF004AE000

heap

page read and write

2BF00489000

heap

page read and write

120000

heap

page read and write

400000

unkown

page readonly

2BF02370000

heap

page read and write

2BF00466000

heap

page read and write

2BF00489000

heap

page read and write

2BF021C2000

heap

page read and write

2BF00489000

heap

page read and write

2BF01E70000

heap

page read and write

2BF004CF000

heap

page read and write

2BF0059A000

heap

page read and write

FC3A7FE000

stack

page read and write

7A0000

heap

page read and write

400000

unkown

page readonly

2BF004BC000

heap

page read and write

2BF004A5000

heap

page read and write

2BF0040B000

heap

page read and write

A9F000

stack

page read and write

2BF004DD000

heap

page read and write

2BF00380000

heap

page read and write

2BF00479000

heap

page read and write

2BF002A0000

heap

page read and write

2BF00479000

heap

page read and write

2BF023B0000

heap

page read and write

2BF021C0000

heap

page read and write

2BF0047B000

heap

page read and write

650000

heap

page read and write

2BF021C1000

heap

page read and write

FC3AAFF000

stack

page read and write

2BF004F1000

heap

page read and write

2BF026E0000

trusted library allocation

page read and write

2BF023A0000

heap

page read and write

2BF004E0000

heap

page read and write

2BF02530000

heap

page read and write

2BF004A5000

heap

page read and write

2BF0047B000

heap

page read and write

2BF00590000

heap

page read and write

2BF00461000

heap

page read and write

2BF00463000

heap

page read and write

2BF0059D000

heap

page read and write

FC3ABFF000

stack

page read and write

125000

heap

page read and write

2BF004F1000

heap

page read and write

2BF00453000

heap

page read and write

2BF021C8000

heap

page read and write

2BF004AE000

heap

page read and write

2BF0047B000

heap

page read and write

FC3ADFE000

stack

page read and write

2BF01E50000

heap

page read and write

2BF023BC000

heap

page read and write

2BF004AE000

heap

page read and write

2BF004AE000

heap

page read and write

2BF0045B000

heap

page read and write

60D000

stack

page read and write

2BF00467000

heap

page read and write

402000

unkown

page execute and write copy

2BF004F1000

heap

page read and write

2BF004A5000

heap

page read and write

100000

heap

page read and write

FC3A6F9000

stack

page read and write

2BF004E1000

heap

page read and write

2BF02B80000

heap

page read and write

9D000

stack

page read and write

2BF004D0000

heap

page read and write

2BF004BA000

heap

page read and write

2BF00414000

heap

page read and write

2BF004B7000

heap

page read and write

2BF004B5000

heap

page read and write

2BF003A0000

heap

page read and write

2BF004BC000

heap

page read and write

2BF004B2000

heap

page read and write

FC3ACFF000

stack

page read and write

2BF004F1000

heap

page read and write

2BF004B0000

heap

page read and write

2BF00479000

heap

page read and write

2BF023B4000

heap

page read and write

2BF004C9000

heap

page read and write

2BF00489000

heap

page read and write

2BF00479000

heap

page read and write

2BF004CB000

heap

page read and write

2BF02590000

heap

page read and write

2BF00595000

heap

page read and write

2BF0047B000

heap

page read and write

2BF02340000

heap

page read and write

2BF004AE000

heap

page read and write

FC3AEFD000

stack

page read and write

2BF0046C000

heap

page read and write

2BF00400000

heap

page read and write

2BF00465000

heap

page read and write

2BF004DC000

heap

page read and write

2BF004D2000

heap

page read and write

FC3A8FE000

stack

page read and write

2BF004C1000

heap

page read and write

2BF004C0000

heap

page read and write

2BF0047B000

heap

page read and write

2BF021D1000

heap

page read and write

2BF00432000

heap

page read and write

2BF00479000

heap

page read and write

2BF023C0000

heap

page read and write

2BF004DD000

heap

page read and write

64E000

stack

page read and write

2BF00432000

heap

page read and write

2BF00489000

heap

page read and write

7AE000

heap

page read and write

F0000

heap

page read and write

2BF00431000

heap

page read and write

2BF0059A000

heap

page read and write

2BF004A5000

heap

page read and write

2BF024B0000

heap

page read and write

2BF004C8000

heap

page read and write

2BF004C0000

heap

page read and write

7AA000

heap

page read and write

2BF004D6000

heap

page read and write

2BF004BC000

heap

page read and write

FC3B0FB000

stack

page read and write

2BF0059B000

heap

page read and write

There are 110 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
7echqQm6T4.vbs

Files

Processes

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report7echqQm6T4.vbs

Files

Processes

IPs

Memdumps

IOC Report
7echqQm6T4.vbs