7e21cd377485343d0bf84d80263ae933d24f63d8d53e5714a5af4a27d2c38e13

Resubmissions

29-04-2020 15:14

23-04-2020 14:19

Target

sam.vbs
Size

393KB
MD5

75c8be3639f3ccfdc0dcdce861f501b5
SHA1

26ffae8998dceb278f4b1b37f6c106e429ae8b41
SHA256

7e21cd377485343d0bf84d80263ae933d24f63d8d53e5714a5af4a27d2c38e13
SHA512

fff41d231d86a4a8c2f7d1606bef45fd3bca0a65c65581799799b49ddc29eb5e78ccc755b6251eb0a0540a49794c5d588a5aa4cc422a5201f9ff4fdcb17863fb

Score

3^/10

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3668	3396	WScript.exe	69
PID 3396 wrote to memory of 3668	3396	WScript.exe	69
PID 3396 wrote to memory of 3668	3396	WScript.exe	69

Program crash 1 IoCs

pid	pid_target	Process	procid_target
992	3668	WerFault.exe	69

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious behavior: EnumeratesProcesses 14 IoCs

Makes http(s) request 1 IoCs

Contacts server via http/https, possibly for C2 communication.

description	flow	ioc
HTTP URL	2	http://www.msftconnecttest.com/connecttest.txt

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sam.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" [Reflection.Assembly]::Load((ItemProperty HKCU:\/Software\/NTaeYeeVXW).xcddhUNi);[cekEPuFITuFD]::RiKxeQUAlsGEy('C:\Users\Admin\AppData\Local\Temp\sam.vbs', 'DnpMOYhjLRX')
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 704
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:992

memory/992-0-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/992-1-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download