c9704b81ede076637ffb9c981443620588c843475394f45769ea3e9743e54a0a

Analysis

Target

IvHUBr2n.wsf
Size

7KB
MD5

854655955fd6ad26285ad083cc413602
SHA1

e1e1a57d75ea1ef2bcaf37a7c04ed83face11add
SHA256

c9704b81ede076637ffb9c981443620588c843475394f45769ea3e9743e54a0a
SHA512

7b2061f9281050c9db6aa683735a57f11ec931c38cf627f11115ab2bac4596029030c7f529b0746c61a197353f240bb93a3ea654885d3dd47b6629a6661eb94d

Score

8^/10

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

6 672 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

flow	pid	process
6	672	WScript.exe

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IvHUBr2n.wsf"
1⤵
- Blocklisted process makes network request
PID:672

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact