Extracted

• • Target

    GBTVHWQCB_INVOICE#07JDKAS.vbs

  • Size

    4KB

  • MD5

    d546eb292c17626af658e34ffa402e47

  • SHA1

    f0a379ae37a860a6c082464f4a41cd474a5f4cbe

  • SHA256

    adf6d30e5c3767c268a66aa887dff2ebe4d0295c49c9bc42d343b6dd0e707825

  • SHA512

    e15402e69ca3e2391a63fec1a718524bc0841e49b0c954162696d96cd11c04d82a5daad52a5fafe1c9101922ab0cc3bd26892038d8ae4f6cd1c9220634b37048

  Score

  10^/10

  nwormdownloaderworm

  • NWorm

    A TrickBot module used to propagate to vulnerable domain controllers.

    wormdownloadernworm

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2