f9061982b077c8c84ea6c818f2cc4e3253f86e063198ab5ee5e6243d2ac530b4 | Triage

Analysis

max time kernel
61s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 11:18

Sharing

Report Analysis Logs

General

Target

F280.wsf
Size

90KB
MD5

9da299ca72f63ef554703fd57c507984
SHA1

67e9fd1fcd0bf7131388e2c756eb9e301000dfc6
SHA256

a71f012d743644762cb6c2aad061dfd019a9dcbade25b060a38215739b164426
SHA512

b4534e6ae5f1a04f483a4dfd2d43c71cc72f00dc0732d67f7f5175de47909e99ced4c8140fbc1fc5f1b539826d7eeeb6de1e633cf70b2bfc817324d19b5103d0
SSDEEP

1536:lKYw0WpifXl3DbqhbSJjrRgV+G6r717K+f1VdueRRXVRA6U49rZxWJ:LZWkXBbjmer7Y+frgeTVRw49U

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	1812	rundll32.exe	29

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	5064	WScript.exe
6	5064	WScript.exe
9	5064	WScript.exe
11	5064	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F280.wsf"
1⤵
- Blocklisted process makes network request
PID:5064

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\aruGxEBkzKiQd.tmp,Motd
1⤵
- Process spawned unexpected child process
PID:3320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads