9f732f21cd6bea13a4dbabbf90aa687cafd5b4b530ec27066152479e37f4cec8

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:33

Target

document.vbs
Size

9KB
MD5

f433d8822f70bc508a0283099a8909f2
SHA1

5c32b5347f100127a7888a367a5f0e808125d841
SHA256

98667994f4d83f11bc5bba249a5d046314541621a0fa6da9d18117ec1e20e090
SHA512

80c2bb7382b30ba2f13635d09c9c06557ceea13cf55b40221aaeb191317e6ed020b4f1459152d74952d2e5f00f9c9c791e8c5dad2882e420a05646fc62f8c112
SSDEEP

192:ReSjpUorcl/E4hp3aD/OCMhiEe1mUS1G0vdzgW20fkbsgTbpQt:c4pnrcpE4hpPCMhidmnGm80jWb4

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exerundll32.exe

description	pid	process	target process
PID 1208 wrote to memory of 1100	1208	WScript.exe	rundll32.exe
PID 1208 wrote to memory of 1100	1208	WScript.exe	rundll32.exe
PID 1208 wrote to memory of 1100	1208	WScript.exe	rundll32.exe
PID 1100 wrote to memory of 1396	1100	rundll32.exe	rundll32.exe
PID 1100 wrote to memory of 1396	1100	rundll32.exe	rundll32.exe
PID 1100 wrote to memory of 1396	1100	rundll32.exe	rundll32.exe
PID 1100 wrote to memory of 1396	1100	rundll32.exe	rundll32.exe
PID 1100 wrote to memory of 1396	1100	rundll32.exe	rundll32.exe
PID 1100 wrote to memory of 1396	1100	rundll32.exe	rundll32.exe
PID 1100 wrote to memory of 1396	1100	rundll32.exe	rundll32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" overhauled\\honorary.temp,CuMode
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" overhauled\\honorary.temp,CuMode
3⤵
PID:1396

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1100-55-0x0000000000000000-mapping.dmp

Download
memory/1208-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/1396-56-0x0000000000000000-mapping.dmp

Download
memory/1396-57-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download