7e21cd377485343d0bf84d80263ae933d24f63d8d53e5714a5af4a27d2c38e13

Analysis

Target

sam.vbs
Size

393KB
MD5

75c8be3639f3ccfdc0dcdce861f501b5
SHA1

26ffae8998dceb278f4b1b37f6c106e429ae8b41
SHA256

7e21cd377485343d0bf84d80263ae933d24f63d8d53e5714a5af4a27d2c38e13
SHA512

fff41d231d86a4a8c2f7d1606bef45fd3bca0a65c65581799799b49ddc29eb5e78ccc755b6251eb0a0540a49794c5d588a5aa4cc422a5201f9ff4fdcb17863fb

Score

3^/10

Suspicious behavior: EnumeratesProcesses 14 IoCs

Makes http(s) request 1 IoCs

Contacts server via http/https, possibly for C2 communication.

description	flow	ioc
HTTP URL	2	http://www.msftconnecttest.com/connecttest.txt

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 3920	3640	WScript.exe	69
PID 3640 wrote to memory of 3920	3640	WScript.exe	69
PID 3640 wrote to memory of 3920	3640	WScript.exe	69

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3420	3920	WerFault.exe	69

Suspicious use of AdjustPrivilegeToken 3 IoCs

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sam.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" [Reflection.Assembly]::Load((ItemProperty HKCU:\/Software\/NTaeYeeVXW).xcddhUNi);[cekEPuFITuFD]::RiKxeQUAlsGEy('C:\Users\Admin\AppData\Local\Temp\sam.vbs', 'DnpMOYhjLRX')
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 704
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:3420

memory/3420-0-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/3420-1-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download