7998cca7210729d57d154d5aa5045d8929759766799e8791b38a77867a375282 | Triage

Analysis

max time kernel
30s
max time network
114s
platform
windows10_x64
resource
win10v20201028
submitted
22-01-2021 13:51

Sharing

Report Analysis Logs

General

Target

fhoffa-n11163nkd.vbs
Size

17KB
MD5

8f7bc961047c054ad4f8f6e9efe117c4
SHA1

e0f66c3081be2641a1e8ea6683ff7775ace5313b
SHA256

0b5fc58aedaed72062aaf48471b814e88e6236f7c31b084ec04609836e8ac626
SHA512

62711a889488e8f7d2b1dcbbd2cc68009ae3b8bad71cbdfa546b80654c33a204c4e36398343dd432f305b1a0e64d0f1afab2529ce2c4d973b30e9245bd867de7

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 3408 regsvr32.exe
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

19 1032 WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fhoffa-n11163nkd.vbs"
1⤵
- Blocklisted process makes network request
PID:1032

C:\Windows\system32\regsvr32.exe
regsvr32 -s C:\ProgramData\psamsi.def
1⤵
- Process spawned unexpected child process
PID:3116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...