a997a35a48fc1995021575fbacc996fa6e5d04dab8dc947b9c97199e3f6b84d7

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2022 10:35

Target

4696233109873277.vbs
Size

870KB
MD5

8e73555843a4d416c21103d61f550dd0
SHA1

3562e225fdd65276810cfcf9d168c616179af7c7
SHA256

8b9ca248a7c278592ff4096afb155b605cfb60d5559173bea494961b7ff7056e
SHA512

d898bdd95d591efbfe965fadbb2117b7d38ab9a241ea3b91dc4da3049b55d56c741aeb1f8814efbe589ebe2db0525ce8c6aef658ea31b0530d1b73adc59b832b
SSDEEP

24576:96lLg+R5WZdswPhE31UTfnPItO9wBRPnkDsWhwDRVV2Omn:x

Score

10^/10

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 1348 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3724 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WScript.exe

pid process

4712 WScript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1348	regsvr32.exe

pid	process
3724	regsvr32.exe

pid	process
4712	WScript.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2108 wrote to memory of 3724	2108	regsvr32.exe	regsvr32.exe
PID 2108 wrote to memory of 3724	2108	regsvr32.exe	regsvr32.exe
PID 2108 wrote to memory of 3724	2108	regsvr32.exe	regsvr32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4696233109873277.vbs"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4712

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\regsvr32.exe
  -s C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt
  2⤵
  - Loads dropped DLL
  PID:3724

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

Filesize
123KB

MD5
61fa5854baab95fc806ae0624ae959af

SHA1
439e45aaccd519fba7f678d3122521bc0f63b770

SHA256
0d158e3bc017d3bacc63a36c35272721586db6c31689ee95125a1e617480217b

SHA512
6ab8ef2e655940b8593860162df3e3691d582506ed682d43b253dd03415f972359b820c9db9aa3fde0d2114819e8fcae8898e045d5eeab6da44aaa4de165d6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgbgSR.txt

Filesize
123KB

MD5
61fa5854baab95fc806ae0624ae959af

SHA1
439e45aaccd519fba7f678d3122521bc0f63b770

SHA256
0d158e3bc017d3bacc63a36c35272721586db6c31689ee95125a1e617480217b

SHA512
6ab8ef2e655940b8593860162df3e3691d582506ed682d43b253dd03415f972359b820c9db9aa3fde0d2114819e8fcae8898e045d5eeab6da44aaa4de165d6d4

Download Submit
memory/3724-133-0x0000000000000000-mapping.dmp

Download