8ea07077502eacce3b5c7d08f71abb1daee1fdc626548ba20953aa31e54c465e

Analysis

max time kernel
34s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-08-2022 02:49

Target

JetBrains 2022 ??/??2????2099????????????/ja-netfilter-all/scripts/uninstall-all-users.vbs
Size

1KB
MD5

284ba51196a36f0bc8c316c2609d8bda
SHA1

74b2bb3d5c787014727ba972cafded3d32fcc326
SHA256

e7a39dfd129b3e06858c66ea2b222d18e5ca86f128981f2e383c80072cbe7e34
SHA512

1ba2e16a7105ff60f0cea535fccadd7e5e38db312ae4ffc8a501d118048171c992661dc00f9d85cf83ef639604c9fd66cf0f50e2674f3633389753689e9112b4

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1816 wrote to memory of 2020	1816	WScript.exe	WScript.exe
PID 1816 wrote to memory of 2020	1816	WScript.exe	WScript.exe
PID 1816 wrote to memory of 2020	1816	WScript.exe	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JetBrains 2022 __\__2____2099____________\ja-netfilter-all\scripts\uninstall-all-users.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JetBrains 2022 __\__2____2099____________\ja-netfilter-all\scripts\uninstall-all-users.vbs" /elevate
  2⤵
  PID:2020

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1816-54-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download