Analysis
-
max time kernel
30s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 13:51
Static task
static1
Behavioral task
behavioral1
Sample
_.msi
Resource
win7v20201028
Behavioral task
behavioral2
Sample
_.msi
Resource
win10v20201028
Behavioral task
behavioral3
Sample
fhoffa-n11163nkd.vbs
Resource
win7v20201028
Behavioral task
behavioral4
Sample
fhoffa-n11163nkd.vbs
Resource
win10v20201028
General
-
Target
fhoffa-n11163nkd.vbs
-
Size
17KB
-
MD5
8f7bc961047c054ad4f8f6e9efe117c4
-
SHA1
e0f66c3081be2641a1e8ea6683ff7775ace5313b
-
SHA256
0b5fc58aedaed72062aaf48471b814e88e6236f7c31b084ec04609836e8ac626
-
SHA512
62711a889488e8f7d2b1dcbbd2cc68009ae3b8bad71cbdfa546b80654c33a204c4e36398343dd432f305b1a0e64d0f1afab2529ce2c4d973b30e9245bd867de7
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 3408 regsvr32.exe -
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 19 1032 WScript.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fhoffa-n11163nkd.vbs"1⤵
- Blocklisted process makes network request
-
C:\Windows\system32\regsvr32.exeregsvr32 -s C:\ProgramData\psamsi.def1⤵
- Process spawned unexpected child process