57b8fd07105b7053c150c5e228607f5eaf896996e0530cf71246ce8cda59f19b

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 20:18

Target

HAV_388323793314316.vbs
Size

823KB
MD5

d1adedc9554d952db4e8277ded9070f1
SHA1

71d96853e7a7ac197cf9930ecae348e91bebcfbf
SHA256

8c077bb379c38ab73289605c3d36a8b23df04fc785754ad03efd1c3cd02c1ed2
SHA512

cfcf1e91357a7e6d73329bc28fb217189b88dde386ee6a1c9d0cf8e9ab79774b4d72b4294b77c430db84d1e6d77126d4823a190b10375a049e834595c4f9c3c3

Score

10^/10

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 4388 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2268 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

3040 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	4388	regsvr32.exe

pid	process
2268	regsvr32.exe

pid	process
3040	WScript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3068 wrote to memory of 2268	3068	regsvr32.exe	regsvr32.exe
PID 3068 wrote to memory of 2268	3068	regsvr32.exe	regsvr32.exe
PID 3068 wrote to memory of 2268	3068	regsvr32.exe	regsvr32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HAV_388323793314316.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:3040

C:\Windows\SysWOW64\regsvr32.exe
-s C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
2⤵
- Loads dropped DLL
PID:2268

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
Filesize
122KB

MD5
c296bbf9e01451686f9aaf2b1570d592

SHA1
dc79c263fb5b99e7cde75c1c6b6f40e6354150c2

SHA256
696c1bcc74a4d081244c47530f48aa91d34513a97a1a415c96fafe7672d22c2d

SHA512
9b6b8dd52bade30c7f735196ce10bb5b3c225fb58f4711968567b77594864a8d4ab006ea312f3f97ec52c80dbf933a057ee236b4d2c87b69b1457aef69badcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzkKVcIk.txt
Filesize
122KB

MD5
c296bbf9e01451686f9aaf2b1570d592

SHA1
dc79c263fb5b99e7cde75c1c6b6f40e6354150c2

SHA256
696c1bcc74a4d081244c47530f48aa91d34513a97a1a415c96fafe7672d22c2d

SHA512
9b6b8dd52bade30c7f735196ce10bb5b3c225fb58f4711968567b77594864a8d4ab006ea312f3f97ec52c80dbf933a057ee236b4d2c87b69b1457aef69badcad

Download Submit
memory/2268-131-0x0000000000000000-mapping.dmp

Download