f7f42dfc0745edd972064828479c2f022e841cc0a7d49e13f02a2b66f25fb260

Analysis

Target

f7f42dfc0745edd972064828479c2f022e841cc0a7d49e13f02a2b66f25fb260.vbs
Size

458KB
MD5

19a61aa2ec75f1708f03c8087d2c896f
SHA1

ba5e80d5e7bd659629a1ff6315f6826666602bc7
SHA256

f7f42dfc0745edd972064828479c2f022e841cc0a7d49e13f02a2b66f25fb260
SHA512

eed10f44eb45921f27f4a9733e71302cd70b3d5209ccb2696b99fdce10a415f04b489bdad30b5d80311d4f6ee09d9833d8d2e92c981a3ea33784c4202ef65694

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1332 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1332 powershell.exe

pid	process
1332	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1332	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1688 wrote to memory of 1332	1688	WScript.exe	powershell.exe
PID 1688 wrote to memory of 1332	1688	WScript.exe	powershell.exe
PID 1688 wrote to memory of 1332	1688	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7f42dfc0745edd972064828479c2f022e841cc0a7d49e13f02a2b66f25fb260.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
MD5
f89f3fe630aff58b9b74fcf455292261

SHA1
c20c0baacb07d1c71c05a81ba25624a1b014a2ac

SHA256
db68f4fee88c88b160960da3de22b89620c8dc68ffd35b77feeee3a01133ad9d

SHA512
7befa99b59031ed1630c6efb9ef9cff84ba546b5a60026332bc54ddd0053308bd65c279de596a163e9b7c139421c34ce498485fa26e96e2fe17830ff35977855

Download Submit
memory/1332-56-0x000007FEF3620000-0x000007FEF417D000-memory.dmp

Filesize
11.4MB

Download
memory/1332-57-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

Filesize
4KB

Download
memory/1332-58-0x00000000028C0000-0x00000000028C2000-memory.dmp

Filesize
8KB

Download
memory/1332-59-0x00000000028C2000-0x00000000028C4000-memory.dmp

Filesize
8KB

Download
memory/1332-60-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1332-61-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1332-63-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/1688-54-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download